Run only allowed Windows applications

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I am an administrator on a fairly tightly controlled network. We use the
"Run only allowed Windows applications" option in our Group Policies and then
list all the executables which are permitted. Recently we installed Office
2003 and added, among others, WINWORD.EXE to our list of allowable
applications.

Here's the problem: When I am logged in with the above restrictions (not as
an admin) and click on a hyperlink I receive the following error: "This
Operation has been cancelled due to restrictions in effect on this computer".
This is true for all link types: URL, External Word document, and internal
bookmark. If I change the restriction to allow running any application, the
error goes away and it works fine. This leads me to believe that I need to
add an application to the allowed list.

My question: How do I find out what executable Word is trying to call so
that I can add it to the "Allowed Applications" list?

Any assistance is greatly appreciated
~Greg Price
3 answers Last reply
More about allowed windows applications
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    HalosPrice wrote:

    > I am an administrator on a fairly tightly controlled network. We use the
    > "Run only allowed Windows applications" option in our Group Policies and then
    > list all the executables which are permitted. Recently we installed Office
    > 2003 and added, among others, WINWORD.EXE to our list of allowable
    > applications.
    >
    > Here's the problem: When I am logged in with the above restrictions (not as
    > an admin) and click on a hyperlink I receive the following error: "This
    > Operation has been cancelled due to restrictions in effect on this computer".
    > This is true for all link types: URL, External Word document, and internal
    > bookmark. If I change the restriction to allow running any application, the
    > error goes away and it works fine. This leads me to believe that I need to
    > add an application to the allowed list.
    >
    > My question: How do I find out what executable Word is trying to call so
    > that I can add it to the "Allowed Applications" list?
    >
    > Any assistance is greatly appreciated
    Hi

    For our Office 2000 installation, this is what we put into
    the AppSec list:

    %ProgramFiles%\Office\excel.exe
    %ProgramFiles%\Office\winword.exe
    %ProgramFiles%\Office\powerpnt.exe

    %ProgramFiles%\Office\BINDER.EXE
    %ProgramFiles%\Office\GRAPH9.EXE
    %ProgramFiles%\Office\MSO7FTP.EXE
    %ProgramFiles%\Office\MSO7FTPA.EXE
    %ProgramFiles%\Office\MSO7FTPS.EXE
    %ProgramFiles%\Office\MSOHTMED.EXE
    %ProgramFiles%\Office\MSQRY32.EXE
    %ProgramFiles%\Office\OSA9.EXE
    %ProgramFiles%\Office\SETLANG.EXE
    %ProgramFiles%\Office\WAVTOASF.EXE

    %ProgramFiles%\Office\1033\MSOHELP.EXE
    %ProgramFiles%\Office\1033\PROJWIZ.EXE
    %ProgramFiles%\Office\Xlators\PPVIEW32.EXE

    %ProgramFiles%\Common Files\Microsoft Shared\Artgalry\ARTGALRY.EXE
    %ProgramFiles%\Common Files\Microsoft Shared\Artgalry\CAG.EXE
    %ProgramFiles%\Common Files\Microsoft Shared\dasetup\dasetup.exe
    %ProgramFiles%\Common Files\Microsoft Shared\Equation\EQNEDT32.EXE
    %ProgramFiles%\Common Files\Microsoft Shared\MSInfo\MSINFO32.EXE
    %ProgramFiles%\Common Files\Microsoft Shared\MSInfo\OFFPROV.EXE
    %ProgramFiles%\Common Files\Microsoft Shared\OrgChart\ORGCHART.EXE
    %ProgramFiles%\Common Files\Microsoft Shared\PhotoEd\PHOTOED.EXE

    %WinDir%\MSAGENT\AGENTSVR.EXE
    %WinDir%\System32\PACKAGER.EXE


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Well, I checked and all the files you listed are in our allowed executables
    list, except for the ones that are not installed on the system, and still no
    luck. Any other ideas?

    ~Greg
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    HalosPrice wrote:

    > Well, I checked and all the files you listed are in our allowed
    > executables list, except for the ones that are not installed on
    > the system, and still no luck. Any other ideas?
    Hi

    Enable "Failure attempts" on the Audit Policy "Audit process tracking"
    and "Audit object access", and then check the event log after trying
    to start Word.


    You also use Filemon from Sysinternals that does a real time logging
    of file accesses, and look for failed operations there.

    http://www.sysinternals.com/


    --
    torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
    Administration scripting examples and an ONLINE version of
    the 1328 page Scripting Guide:
    http://www.microsoft.com/technet/scriptcenter/default.mspx
Ask a new question

Read More

Windows XP