Windows: Windows Server 2003 R2 Disallow Run
This article describes a registry subkey setting in Windows Server 2003 R2 and Windows XP and was originally published as DisallowRun. The article has been updated to correct known issues and has been reproduced here to allow the community to correct any other inaccuracies and provide other enhancements prior to including updates in the official version of this topic.
DisallowRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Description
The DisallowRun subkey contains a list of Windows programs that users cannot run. This list is used only when the value of the DisallowRun entry is 1.
This subkey stores the contents of the Show Contents box in the Don't run specified Windows applications Group Policy. Group Policy adds this subkey and its entries to the registry when you enable the policy. If you disable the policy or set it to Not configured, Group Policy deletes this subkey and its entries from the registry.
Each entry in this subkey represents a Windows program, such as Notepad, and contains the name of the executable file for the program, such as Notepad.exe. The numbers that name these entries only represent the order in which the programs are entered. They do not affect the feature.
These entries have the following format. All entries must include the file name extension of the file:
Entry name |
Data type |
Value |
|---|---|---|
Item-number |
REG_SZ |
Name of executable file |
For example, the following entry permits restricted users to use Microsoft Word (Winword.exe):
Entry name |
Data type |
Value |
|---|---|---|
1 |
REG_SZ |
Winword.exe |
Change method
To change the value of this entry, use Group Policy. This entry corresponds to the Don't run specified Windows applications Group Policy (User Configuration\Administrative Templates\System).
NOTE: The DisallowRun entry enables the Don't run specified Windows applications policy. If the DisallowRun entry is not in the registry, or if its value is 0, the policy is not enabled, and the system ignores the DisallowRun subkey and its entries.
This entry only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this policy does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.
The Run only allowed Windows applications policy takes precedence over the Don't run specified Windows applications policy. If both policies are applied to the same user, the Run only allowed Windows applications policy is implemented and the Don't run specified Windows applications policy is ignored.