Windows privacy policies allow you to restrict the rights of users whose actions can harm the system. For example, parents want to control the installation of games by their children, and the administrator of a work computer believes that only he has the right to install new programs.
Instructions
Step 1
To set up bans, you need administrator rights. Call the command line using Win + R and enter the secpol.msc command. The Local Security Settings snap-in opens.
Step 2
Expand Software Restriction Policies. Under Object Type, double-click Assigned File Types. The properties window lists the types of files that will be considered executable code.
Step 3
You need to remove from this list programs that can be installed by other users. For example, if one of them works with Excel tables or Access databases, check these items in the list and click Remove. Also remove LNK - "Shortcut". Click OK to confirm
Step 4
Double-click the "Enforce" item and switch the "Apply Restricted Policies …" radio button to the "For all but local administrators" position. Expand the Security Levels folder and double-click Unlimited. Click "Default" and OK to confirm.
Step 5
Expand the Security Levels folder and double-click Unlimited. Click "Default" and OK to confirm.
Step 6
Now other users will be able to run only programs installed by you or by the system. By default, they are located in the Program Files and SystemRoot folders. If some programs are in other sections, they need to be added to the list of allowed.
Step 7
Expand the Additional Rules snap-in and in the Name section, right-click on the free space. Select the "Create path rule" command and specify the path to the folder where the permitted programs are located.
Step 8
To prevent users from copying prohibited software to these folders, set permissions on them. Right click on the folder shortcut and select "Sharing and Security". In the "Security" tab, set permissions for each of the user groups.
Step 9
Click "Advanced" and go to the "Permissions" tab. Select a user group, click the "Change" button and in the new window, check the boxes for the actions that are allowed or denied for this group.
