JSI Tip 0496 - How can I prevent users from running Explorer.exe?

Jerold Schulman

April 16, 1998

1 Min Read
ITPro Today logo in a gray background | ITPro Today

Even if you Locked down that desktop and are using RestrictRun, educated users can still gain access to Explorer by inserting an object (Explorer.exe) from a Microsoft Office application.

To prevent this, remove the Read (R) permission (retain the Execute (X) permission) from the Everyone Group. If the file can not be read, they can't insert an object, yet the Execute permission still allows Explorer to function as the shell.

In Explorer, highlight %SystemRoot%Explorer.exe, right-click, and select Properties / Security / Permissions. Double-click the Everyone Group and clear the Read(R) attribute in the Special Access dialog box. You can also use XCACLS from the


xcacls.exe explorer.exe /t /e /p everyone:x

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like