Block or Allow Applications for Users in Windows - Guide
Restricting Application Access in Windows
Windows provides administrators with methods to control which applications users can execute on a PC. It's possible to either prevent the use of specific programs or to permit only a pre-defined set of applications.
Blocking Specific Applications
You can prevent users from running unwanted applications through Windows settings. This allows for a tailored computing experience, enhancing security and productivity.
Allowing Only Specific Applications
Alternatively, Windows allows you to restrict users to a curated list of approved applications. This is a more stringent control method.
Important Note: Exercise extreme caution when modifying user account settings. Always verify you are altering the intended account and maintain access to an unrestricted administrative account for reversal purposes.
Restricting access, particularly to a specific application set, can lock users out of essential administrative tools like the Registry Editor and Local Group Policy Editor.
Reversing Restrictions
If restrictions are inadvertently applied to an administrative account, recovery can be challenging. The most reliable method we've discovered involves utilizing System Restore.
To access System Restore, navigate to Settings > Update & Security > Recovery and select "Restart now" under Advanced Startup. This will allow you to initiate System Restore after the restart, as the standard method will be inaccessible.
Creating a Restore Point
Before implementing any of these changes, it is strongly advised to create a system restore point. This provides a safety net, enabling you to revert to a previous state if necessary.
Creating a restore point safeguards against unforeseen issues and simplifies the process of undoing any unintended consequences of these modifications.
Home Users: App Blocking or Restriction via Registry Editing
For Windows Home edition users seeking to block or restrict applications, modifications to the Windows Registry are necessary. It’s crucial to log in as the specific user for whom the changes are intended, and then perform the Registry edits while logged into that account. If alterations are required for multiple users, the process must be duplicated for each one.
A standard caution: The Registry Editor is a potent tool, and improper use can lead to system instability or failure. While this procedure is relatively straightforward, adhering to the instructions is vital. If you are unfamiliar with its operation, it’s advisable to familiarize yourself with Registry Editor usage before proceeding. Furthermore, always back up the Registry and your computer before making any changes.
Related: How to Backup and Restore the Windows Registry
Blocking Specific Applications Through the Registry
Begin by logging into Windows with the user account for which you wish to block applications. Launch the Registry Editor by pressing Start and typing "regedit." Press Enter to open the Registry Editor and grant it permission to modify your PC.
Within the Registry Editor, navigate to the following key using the left sidebar:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Create a new subkey within the Policies key. Right-click the Policies key, select New > Key, and name the new key Explorer.
Now, create a new value inside the newly created Explorer key. Right-click the Explorer key and choose New > DWORD (32-bit) value. Name this new value DisallowRun.
Double-click the DisallowRun value to access its properties. Change the "Value data" from 0 to 1, then click "OK."
Return to the main Registry Editor window and create another subkey inside the Explorer key. Right-click the Explorer key and select New > Key. Name this new key DisallowRun, mirroring the value you previously created.
Begin adding the applications you want to block. Create a new string value within the DisallowRun key for each application. Right-click the DisallowRun key and select New > String Value. Name the first value "1."
Double-click the new value to open its properties. Enter the name of the executable you want to block (for example, notepad.exe) into the "Value data" field, and then click "OK."
Continue this process, naming subsequent string values "2," "3," and so on, and adding the executable file names of the applications you wish to block to each value.
After completing these steps, restart Windows, log in with the target user account, and test the configuration by attempting to run one of the blocked applications. A "Restrictions" window should appear, indicating that the application cannot be executed.
Related: How to Make Your Own Windows Registry Hacks
Repeat this procedure for each user account requiring application blocking. However, if you are blocking the same applications across multiple accounts, consider creating a custom Registry hack. Export the DisallowRun key after configuring the first user account, then import it into each subsequent account after logging in.
To modify the list of blocked applications, return to the DisallowRun key and make the necessary adjustments. To restore access to all applications, either delete the entire Explorer key (including the DisallowRun subkey and all its values) or revert the DisallowRun value back to 0, effectively disabling application blocking while preserving the list for future use.
Restricting Access to Only Certain Applications Through the Registry
The process for restricting users to running only specified applications in the Registry closely mirrors the procedure for blocking specific applications. Log in to Windows using the user account you intend to modify. Launch the Registry Editor and navigate to the following key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Right-click the Policies key, select New > Key, and name the new key Explorer.
Create a new value inside the Explorer key. Right-click the Explorer key and choose New > DWORD (32-bit) value. Name this new value RestrictRun.
Double-click the RestrictRun value to open its properties. Change the "Value data" from 0 to 1, then click "OK."
Create another subkey inside the Explorer key. Right-click the Explorer key and select New > Key. Name this new key RestrictRun, consistent with the value you just created.
Now, add the applications the user is permitted to access. Create a new string value within the RestrictRun key for each allowed application. Right-click the RestrictRun key and select New > String Value. Name the first value "1."
Double-click the new value to open its properties. Enter the name of the executable you want to allow (for example, notepad.exe) into the "Value data" field, and then click "OK."
Repeat this process, naming the values "2," "3," and so on, and adding the executable file names of the applications the user should be able to run to each value.
After completing these steps, restart Windows, log in with the target user account, and test the configuration. Only the applications you explicitly allowed should be runnable. Repeat this process for each user account or create a Registry hack for faster application of settings.
To undo these changes, either delete the Explorer key (along with the RestrictRun subkey and all values) or set the RestrictRun value back to 0, disabling restricted access.
Managing Application Access: Utilizing Local Group Policy Editor for Pro and Enterprise Users
For those utilizing the Professional or Enterprise editions of Windows, controlling which applications can be executed can be streamlined through the Local Group Policy Editor. A significant benefit of this method lies in its ability to deploy policy configurations to multiple users, or even defined user groups, without the need for individual account logins – a contrast to the Registry Editor approach.
However, initial configuration is required, specifically the creation of a policy object targeted at the intended users. Detailed instructions for this process can be found in our guide concerning the application of localized Group Policy adjustments to specific user accounts. It’s also crucial to recognize the power inherent in group policy settings, warranting a thorough understanding of its capabilities. Furthermore, if your computer is connected to a corporate network, consulting with your system administrator beforehand is highly recommended, as domain group policies may override local settings.
The procedures for both permitting and restricting applications via the Local Group Policy Editor are remarkably similar. We will demonstrate how to restrict users to a predetermined set of applications, highlighting the differences for allowing access. Begin by locating the MSC file created for managing policies for the designated users.
Double-click the MSC file to initiate the editor and grant the necessary permissions for system modifications. In this instance, we are employing a configuration designed to apply policies to all non-administrative user accounts.
Within the Group Policy window, navigate through the left-hand pane to User Configuration > Administrative Templates > System. On the right side, identify and double-click the "Run only specified Windows applications" setting to access its properties dialog. Conversely, to block specific applications, select the "Don't run specified Windows applications" setting.
Within the properties window, select the "Enabled" radio button and then click the "Show" button to proceed.
The "Show Contents" window will appear. Here, for each line in the list, enter the name of the executable file corresponding to the applications users are authorized to run, or those you wish to block. Once the list is complete, click "OK."
You may now close the Local Group Policy window. To verify the effectiveness of your changes, log in using one of the affected user accounts and attempt to launch a restricted application. Instead of executing, an error message should be displayed.
To revert these changes, reopen the Local Group Policy editor by double-clicking your MSC file. Subsequently, set the "Run only specified Windows applications" or "Don't run specified Windows applications" options to "Disabled" or "Not Configured." This action will deactivate the setting and clear the existing application list. Re-enabling the feature will necessitate re-entering the list of permitted or blocked applications.