Only allow approved Shell extensions

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Only allow approved Shell extensions
User Configuration\Administrative Templates\Windows Components\Windows
Explorer

Description
Directs Windows to start only the user interface extensions that the system
security or the user have approved.

When the system detects that the user is downloading an external program
that runs as part of the Windows user interface, the system searches for a
digital certificate or requests that the user approve the action. If you
enable this policy, Windows only starts approved programs.

This policy is designed to protect the system from damage from programs that
do not operate correctly or are intended to cause harm.

To view the approved user interface extensions for a system, start a
registry editor (Regedt32 or Regedit). The system stores entries
representing approved user interface extensions on a system in the following
registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved.


How is this policy different than or similar to 'Run only allowed Windows
applications' or appsec? Might this best be used in conjunction with these
others? What does this policy really do?

Thanks
1 answer Last reply
More about only approved shell extensions
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hello,

    Thanks for posting!

    I understand that you want to know the difference between the "Only allow
    approved Shell extensions" and "Run only allowed Windows applications". If
    I have misunderstood your concerns, please feel free to let me know.

    Based on my research, I would like to provide you with the following
    information for your reference:

    Run only allowed Windows applications
    User Configuration\Administrative Templates\System

    Description
    Limits the Windows programs that users have permission to run on the
    computer.

    If you enable this policy, users can only run programs that you add to the
    List of Allowed Applications in this policy.

    Note

    This policy only prevents users from running programs that are started by
    the Windows Explorer process. It does not prevent users from running
    programs such as Task Manager, which are started by the system process or
    by other processes. Also, if users have access to the command prompt,
    Cmd.exe, this policy does not prevent them from starting programs in the
    command window that they are not permitted to start by using Windows
    Explorer.

    When both the Run only allowed Windows applications policy and the don't
    run specified Windows applications policy are enabled, they are both
    applied. Users can only run the programs listed in the Run only allowed
    Windows applications policy. However, if a program in that list is
    prohibited by the don't run specified Windows applications policy, it does
    not run.

    Run only allowed Windows applications
    http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/
    en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en
    -us/gp/206.asp

    If there is anything that is unclear, please feel free to let me know.

    Thanks & Regards,

    Jason Tan

    Microsoft Online Partner Support
    Get Secure! - www.microsoft.com/security

    =====================================================

    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.

    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.


    --------------------
    | From: "osis" <osis@osisonline.net>
    | Subject: Only allow approved Shell extensions
    | Date: Wed, 22 Jun 2005 14:32:20 -0400
    | Lines: 33
    | X-Priority: 3
    | X-MSMail-Priority: Normal
    | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
    | Message-ID: <eZqxri1dFHA.3864@TK2MSFTNGP10.phx.gbl>
    | Newsgroups: microsoft.public.win2000.group_policy
    | NNTP-Posting-Host: 216.68.37.130
    | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.group_policy:11348
    | X-Tomcat-NG: microsoft.public.win2000.group_policy
    |
    | Only allow approved Shell extensions
    | User Configuration\Administrative Templates\Windows Components\Windows
    | Explorer
    |
    | Description
    | Directs Windows to start only the user interface extensions that the
    system
    | security or the user have approved.
    |
    | When the system detects that the user is downloading an external program
    | that runs as part of the Windows user interface, the system searches for a
    | digital certificate or requests that the user approve the action. If you
    | enable this policy, Windows only starts approved programs.
    |
    | This policy is designed to protect the system from damage from programs
    that
    | do not operate correctly or are intended to cause harm.
    |
    | To view the approved user interface extensions for a system, start a
    | registry editor (Regedt32 or Regedit). The system stores entries
    | representing approved user interface extensions on a system in the
    following
    | registry key:
    |
    | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
    | Extensions\Approved.
    |
    |
    | How is this policy different than or similar to 'Run only allowed Windows
    | applications' or appsec? Might this best be used in conjunction with these
    | others? What does this policy really do?
    |
    | Thanks
    |
    |
    |
    |
Ask a new question

Read More

Policy Shell Extension Windows