Then I would publish out each application icon to one group. The problem lies if someone receives an Excel attachment in Outlook for example, if they dont have access to Excel then it would still open when they clicked it. This could be controlled via NTFS permissions on excel.exe. Philip Walley <philip.walley@xxxxxxxxxxxxxx> wrote: that will work unless a user has explicit access or is a member of another group that has rights. If that is what you need to do, I don't think there is much that can be done other then setting the rights on the .exe -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of John Elstone Posted At: Wednesday, September 15, 2004 4:43 PM Posted To: The thin mailing list Conversation: [THIN] Re: Published App Groups Subject: [THIN] Re: Published App Groups Dont give that user group access to the published app and they wont get the icon to run it. If you want to secure it further you can modify the permissions on the executable so its the same as the published app. "Turman, David C." <david_turman@xxxxxxxxxxxxxxxx> wrote: Is there any way to explicitly deny a group running a published app on MF XP like you can deny in access NTFS?