Only allow approved Shell extensions

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Only allow approved Shell extensions
User Configuration\Administrative Templates\Windows Components\Windows
Explorer

Description
Directs Windows to start only the user interface extensions that the system
security or the user have approved.

When the system detects that the user is downloading an external program
that runs as part of the Windows user interface, the system searches for a
digital certificate or requests that the user approve the action. If you
enable this policy, Windows only starts approved programs.

This policy is designed to protect the system from damage from programs that
do not operate correctly or are intended to cause harm.

To view the approved user interface extensions for a system, start a
registry editor (Regedt32 or Regedit). The system stores entries
representing approved user interface extensions on a system in the following
registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
Extensions\Approved.


How is this policy different than or similar to 'Run only allowed Windows
applications' or appsec? Might this best be used in conjunction with these
others? What does this policy really do?

Thanks

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hello,

Thanks for posting!

I understand that you want to know the difference between the "Only allow
approved Shell extensions" and "Run only allowed Windows applications". If
I have misunderstood your concerns, please feel free to let me know.

Based on my research, I would like to provide you with the following
information for your reference:

Run only allowed Windows applications
User Configuration\Administrative Templates\System

Description
Limits the Windows programs that users have permission to run on the
computer.

If you enable this policy, users can only run programs that you add to the
List of Allowed Applications in this policy.

Note

This policy only prevents users from running programs that are started by
the Windows Explorer process. It does not prevent users from running
programs such as Task Manager, which are started by the system process or
by other processes. Also, if users have access to the command prompt,
Cmd.exe, this policy does not prevent them from starting programs in the
command window that they are not permitted to start by using Windows
Explorer.

When both the Run only allowed Windows applications policy and the don't
run specified Windows applications policy are enabled, they are both
applied. Users can only run the programs listed in the Run only allowed
Windows applications policy. However, if a program in that list is
prohibited by the don't run specified Windows applications policy, it does
not run.

Run only allowed Windows applications
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/
en-us/Default.asp?url=/resources/documentation/Windows/2000/server/reskit/en
-us/gp/206.asp

If there is anything that is unclear, please feel free to let me know.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.







--------------------
| From: "osis" <osis@osisonline.net>
| Subject: Only allow approved Shell extensions
| Date: Wed, 22 Jun 2005 14:32:20 -0400
| Lines: 33
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <eZqxri1dFHA.3864@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.win2000.group_policy
| NNTP-Posting-Host: 216.68.37.130
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.win2000.group_policy:11348
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| Only allow approved Shell extensions
| User Configuration\Administrative Templates\Windows Components\Windows
| Explorer
|
| Description
| Directs Windows to start only the user interface extensions that the
system
| security or the user have approved.
|
| When the system detects that the user is downloading an external program
| that runs as part of the Windows user interface, the system searches for a
| digital certificate or requests that the user approve the action. If you
| enable this policy, Windows only starts approved programs.
|
| This policy is designed to protect the system from damage from programs
that
| do not operate correctly or are intended to cause harm.
|
| To view the approved user interface extensions for a system, start a
| registry editor (Regedt32 or Regedit). The system stores entries
| representing approved user interface extensions on a system in the
following
| registry key:
|
| HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell
| Extensions\Approved.
|
|
| How is this policy different than or similar to 'Run only allowed Windows
| applications' or appsec? Might this best be used in conjunction with these
| others? What does this policy really do?
|
| Thanks
|
|
|
|