JSI Tip 0496 - How can I prevent users from running Explorer.exe?
Jerold Schulman
April 16, 1998
1 Min Read
Even if you Locked down that desktop and are using RestrictRun, educated users can still gain access to Explorer by inserting an object (Explorer.exe) from a Microsoft Office application.
To prevent this, remove the Read (R) permission (retain the Execute (X) permission) from the Everyone Group. If the file can not be read, they can't insert an object, yet the Execute permission still allows Explorer to function as the shell.
In Explorer, highlight %SystemRoot%Explorer.exe, right-click, and select Properties / Security / Permissions. Double-click the Everyone Group and clear the Read(R) attribute in the Special Access dialog box. You can also use XCACLS from the
xcacls.exe explorer.exe /t /e /p everyone:x
About the Author
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
You May Also Like