Good Evening, Question: Is there a way to make exceptions for programs which can be executed outside the windows or program files folder when the restriction is set (Only allow programs in windows and program files folder to run, C DRIVE)? Detail: I have setup some PCs in a hotel for the reception area using windows steady state. Normal user account, windows disk protection and some restrictions to prevent them from executing possibly harmful software (Only allow programs in windows and program files folder to run, C DRIVE). I had to use "run as" secret admin user on one of the programs as the database is stored on the e: drive and doesnt work with this option set (Only allow programs in windows and program files folder to run, C DRIVE), as the database is executed partially as a program and cant be on the C drive as disk protection would revert any work after reboot. The program cannot not be replaced, but when the program wants to send an email it opens outlook through the secret admin account and therefore is not synchronised with the user account. Thanks in advance, with kind regards, John

Hi John, you can try to do these steps below: 1.Windows Steadystate------User Settings------Windows Restrictions-----Start Menu Restrictions------do not choose “Prevent programs in All User folder from appearing” 2.Windows Restrictions-----General Restrictions------ choose “Allow only programs in the Program Files and Windows folders to run” 3.Click “OK” Thus it can allow programs in windows and program files folder to run. Best&regards

Hey Leo, Thanks for the answer. Im aware of this option, what Im trying to is allow users only to use programs on the pc locally and protect from external software (ie. downloaded programs, or prorams on a usb etc.), but still be able to make an exception for 1-2 special programs. kind regards, john

Hi John, can you tell me what is the name of these special programs? As I tried on my test PC, when you select "Allow only programs in the Program Files and Windows folders to run", it is impossbile to run another software from other disk or USB storage. You can try to cread another user accout and set restrictions, than login with new account to check if the same issue appear. Also you can try to set High Restrictions for user first, include select "Allow only programs in the Program Files and Windows folders to run" and try again.

these programs cant be replaced as they are professional booking systems for hotels with interfaces to the wireless ordering devices for the waitresses, SSL banking channels, ski ticket activation for the local cable cars and a couple other tools for inland revenue all integrated. The system has to be designed around this program, not the other way round, but the program is called GastroDat. For the time being I created a limited account with some privileges and hid it from the logon screen... well, the solution does have security holes...

There is a way to manually add other paths so that the "Allow only" restriction doesn't deny them. It involves creating a new registry key/value specifying the desired path. As administrator, you need to remove SteadyState restrictions from the user profile which needs to access the additional software path, at least enough restrictions to enable the user to run regedit and make changes. Then temporarily add the user to the administrator's group to enable write access to the registry. Log in as the desired user. Click Start | Run and type regedit, then click OK. In the registry tree, navigate to the following key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\ (the 262144 CodeIdentifier is used by SteadyState to determine which paths are NOT restricted, i.e., in the Allowed group of programs) Right-click the Paths key and select New, then Key. Give the key the following name: {00000000-0000-0000-0001-000000000009} (include the braces; you can substitue another number at the end other than 9, but 9 is safe) Right-click this new key; select New, then Expandable String Value. Give the item the following name: ItemData Double click the ItemData value. In the entry box, enter the full path to the software folder you want to make accessible to the user (e.g., C:\goodSoftware\ ). Click OK. (Only executables under this folder will be accessible when restrictions are re-applied. If there are multiple paths involved (say C:\gooddata\ ), make sure to create a separate key/value for each path.) Close the registry editor. Add a shortcut to the program to the user desktop or Start Menu, so a link will be available when SteadyState restrictions are set back on. Log off the user account. Log back in as administrator. Remove the user from the administrators group. Reset the user profile's restrictions in SteadyState. Set Windows Disk Protection to keep the changes (if you're using Disk Protection). Reboot. When the user logs in, the new software should run. Give it a test run.Robert Williams Technology Consultant South Texas Library System www.stls.lib.tx.us

Sorry for the late reply. Tried your suggestion rlwstls and it worked perfectly. I like the professionalism of your answer. Great work and thanks :)