Disabling Windows Explorer For Non Admins and Leaving it Enabled For Admins.

evening,

running citrix xenapp environment , need disable explorer.exe running non admin users. team , have discovered exporer.exe can accessed app being used end user , therefore can grant user access xenapp server interface--this big no no!

users not have admin rights when in explorer.exe can shutdown server. can disable few areas such taskmgr, regedit, cmd, windows+x, , can prevent user shutting down system allowing them log off, , prevent them making changes desktop icons, preferred stick users , not allow them access xenapp server interface @ all,

have tested changing shell explorer.exe explorer.exe iexplorer.exe , worked fine (it displayed desktop wallpaper logged on user), change not reversible. luckily, took snapshot of virtual test system before hand. 

there way prevent windows explorer running non admins , local administrator account not affected change well? have tried preventing explorer.exe running via gpo didn't work.

in advance,

hi,

a more robust , managable way of securing systems controlling applications can launched software restriction policies.
check article for introduction to software restriction policies: http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

regards.

---

please remember mark replies answers if , unmark them if provide no help. if have feedback technet support, contact tnmff@microsoft.com

Windows Server  >  Security