DOCUMENT:Q156699 09-AUG-2001 [winnt] TITLE :Limitations of "Run Only Allowed Windows Application" PRODUCT :Microsoft Windows NT PROD/VER:4.0 OPER/SYS: KEYWORDS:kbenv ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Workstation version 4.0 - Microsoft Windows NT Server version 4.0 ------------------------------------------------------------------------------- SUMMARY ======= The Windows NT 4.0 System Policy Editor allows administrators to determine what applications can be run on computers running Windows NT 4.0 by using the "Run only allowed Windows applications" option. MORE INFORMATION ================ The "Run only allowed Windows applications" entry under the System Restrictions book of System Policy Editor can be assigned to specific users and groups, or to default users. Enabling this option limits what applications can be run on computers running Windows NT 4.0, if the applications are called through the shell name space. When a user attempts to run an application not specified in System Policy Editor, the following error message is displayed: Restrictions: This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator. Microsoft Office applications, including Office 95, include the utilities Msinfo.exe and Msinfo32.exe. These applications bypass the shell name space and, because of this, they are not monitored or restricted by the System Policy. This allows users to run applications even if they are not listed in the System Policy's "Allowed to run" list. Administrators may choose to customize installations so these utilities are not installed. Another consideration for System Policies is the use of reference accounts. A reference account is a special user created specifically as the logon account for the administrator who will be setting System Policies. Logging on as an administrator named POLICY and setting policies under this account will help prevent a situation in which even administrators cannot run server tools. It is easy, by using the "Allowed to run" policy, to restrict even the administrator account from running administration tools. Because of this it is better not to manage System Policies while logged on as Administrator. Additional query words: prodnt ====================================================================== Keywords : kbenv Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400 kbWinNTW400search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 Version : 4.0 ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.