If you’d like to limit what apps a user can run on a PC, Windows gives you two options. You can block the apps you don’t want a user to run, or you can restrict them to running only specific apps. Here’s how to do it.
如果您想限制用户可以在PC上运行的应用程序,则Windows提供了两种选择。 您可以阻止不希望用户运行的应用程序,也可以将它们限制为仅运行特定的应用程序。 这是操作方法。
NOTE: Be absolutely sure that you are making changes to a user account you actually want to restrict, and that you always have an unrestricted administrative account available to undo those changes. This is especially true if you are restricting users to a specific set of apps, as those users will lose access even to tools like Registry Editor and Local Group Policy Editor. If you do accidentally apply restrictions to your administrative account, the only way we’ve found to reverse the changes is to run System Restore by going to Settings > Update & Security > Recovery and clicking the “Restart now” button under Advanced Startup. From there, you can find the setting for running System Restore after a restart, since you won’t be able to run System Restore the normal way. For this reason, we also highly recommend creating a restore point before making any of the changes here.
注意:绝对确保要对实际上要限制的用户帐户进行更改,并且始终具有可用于撤消那些更改的不受限制的管理帐户。 如果将用户限制为一组特定的应用程序,则尤其如此,因为这些用户甚至将无法访问注册表编辑器和本地组策略编辑器之类的工具。 如果您确实对管理帐户不加限制,我们发现要撤消更改的唯一方法是运行系统还原,方法是转到“设置”>“更新和安全性”>“恢复”,然后单击“高级启动”下的“立即重新启动”按钮。 从那里,您可以找到重启后运行系统还原的设置,因为您将无法以正常方式运行系统还原。 因此,我们强烈建议您在此处进行任何更改之前创建一个还原点 。
家庭用户:通过编辑注册表来阻止或限制应用 (Home Users: Block or Restrict Apps by Editing the Registry)
To block or restrict apps in the Home edition of Windows, you’ll need to dive into the Windows Registry to make some edits. The trick here is that you’ll want to log on as the user you want to make changes for, and then edit the Registry while logged onto their account. If you have multiple users for which you want to changes for, you’ll have to repeat the process for each user.
要阻止或限制Windows Home Edition中的应用程序,您需要深入Windows注册表进行一些编辑。 这里的技巧是,你要登录的用户要进行更改 ,然后编辑注册表,同时登录到他们的帐户。 如果您要更改多个用户,则必须为每个用户重复该过程。
Standard warning: Registry Editor is a powerful tool and misusing it can render your system unstable or even inoperable. This is a pretty simple hack and as long as you stick to the instructions, you shouldn’t have any problems. That said, if you’ve never worked with it before, consider reading about how to use the Registry Editor before you get started. And definitely back up the Registry (and your computer!) before making changes.
标准警告:注册表编辑器是一个功能强大的工具,滥用它会使您的系统不稳定甚至无法运行。 这是一个非常简单的技巧,只要您按照说明进行操作,就不会有任何问题。 也就是说,如果您以前从未使用过它,请在开始之前考虑阅读有关如何使用注册表编辑器的信息 。 并在进行更改之前一定要备份注册表 (和您的计算机 !)。
通过注册表阻止某些应用 (Block Certain Apps Through the Registry)
First, you’ll need to log on to Windows using the user account for which you want to block apps. Open the Registry Editor by hitting Start and typing “regedit.” Press Enter to open Registry Editor and give it permission to make changes to your PC.
首先,您需要使用您要阻止其应用程序的用户帐户登录Windows。 通过单击开始并键入“ regedit”来打开注册表编辑器。 按Enter键打开注册表编辑器,并授予其对PC进行更改的权限。
In the Registry Editor, use the left sidebar to navigate to the following key:
在注册表编辑器中,使用左侧边栏导航至以下键:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Next, you’re going to create a new subkey inside the Policies key. Right-click the Policies key, choose New > Key, and then name the new key Explorer .
接下来,您将在“ Policies键中创建一个新的子键。 右键单击“ Policies密钥,选择“新建”>“密钥”,然后将新密钥命名为Explorer 。
Next you’re going to create a value inside the new Explorer key. Right-click the Explorer key and choose New > DWORD (32-bit) value. Name the new value DisallowRun .
接下来,您将在新的Explorer键中创建一个值。 右键单击Explorer键,然后选择“新建”>“ DWORD(32位)”值。 将新值命名为DisallowRun 。
Double-click the new DisallowRun value to open its properties dialog. Change the value from 0 to 1 in the “Value data” box and then click “OK.”
双击新的DisallowRun值以打开其属性对话框。 在“数值数据”框中将值从0更改为1,然后单击“确定”。
Back in the main Registry Editor window, you’re now going to create a new subkey inside the Explorer key. Right-click the Explorer key and choose New > Key. Name the new key DisallowRun , just like the value you already created.
回到“注册表编辑器”主窗口,现在您将在“ Explorer项中创建一个新的子项。 右键单击Explorer键,然后选择“新建”>“键”。 将新密钥命名为DisallowRun ,就像您已经创建的值一样。
Now, it’s time to start adding apps you want to block. You’ll do this by creating a new string value inside the DisallowRun key for each app you want to block. Right-click the DisallowRun value and then choose New > String Value. You’ll be naming these values with simple numbers, so name the first value you create “1.”
现在,该开始添加要阻止的应用程序了。 为此,您需要在DisallowRun键中为要阻止的每个应用程序创建一个新的字符串值。 右键单击DisallowRun值,然后选择“新建”>“字符串值”。 您将使用简单数字命名这些值,因此将创建的第一个值命名为“ 1”。
Double-click the new value to open its property dialog, type the name of the executable you want to block into the “Value data” box (e.g., notepad.exe ), and then click “OK.”
双击新值以打开其属性对话框,在“值数据”框中键入要阻止的可执行文件的名称(例如notepad.exe ),然后单击“确定”。
Repeat this process, naming the second string value “2” and the third “3” and so on, and then adding the executable file names you want to block to each value.
重复此过程,将第二个字符串值命名为“ 2”,第三个字符串值命名为“ 3”,依此类推,然后将要阻止的可执行文件名添加到每个值。
When you’re done, you can restart Windows, log onto that user account, and then test things by trying to run one of those apps. You should see a “Restrictions” window pop-up letting you know that you can’t run the app.
完成后,您可以重新启动Windows,登录该用户帐户,然后通过尝试运行这些应用程序之一来进行测试。 您应该会看到一个“限制”窗口弹出窗口,告知您无法运行该应用程序。
You’ll need to repeat this process for each user account for which you need to block apps. Though, if you’re blocking the same apps for multiple user accounts, you could always create your own Registry hack by exporting the DisallowRun key after you’ve configured the first user account and then importing it after logging onto to each subsequent account.
您需要为每个需要阻止其应用程序的用户帐户重复此过程。 但是,如果要阻止多个用户帐户使用相同的应用程序,则始终可以通过在配置第一个用户帐户后导出DisallowRun项,然后在登录到每个后续帐户后将其导入来创建自己的注册表黑客 。
If you want to edit the list of blocked apps, just return to the DisallowRun key and make the changes you want. If you want to restore access to all apps, you can either delete the wholeExplorer key you created–along with DisallowRun subkey and all the values. Or you could just go back and change the value of the DisallowRun value you created from 1 back to 0, effectively turning off app blocking while leaving the list of apps in place should you want to turn it on again in the future.
如果要编辑被阻止的应用程序列表,只需返回DisallowRun键并进行所需的更改。 如果要恢复对所有应用程序的访问权限,则可以删除创建的整个Explorer密钥以及DisallowRun子项和所有值。 或者,您也可以返回并将您创建的DisallowRun值的值从1更改为0,以有效地关闭应用程序阻止功能,同时保留应用程序列表,以备将来再次打开时使用。
通过注册表仅阻止某些应用 (Block Only Certain Apps Through the Registry)
Restricting users to running only certain apps in the Registry follows almost exactly the same procedure as blocking specific apps. You’ll again need to log on to Windows using user account you want to change. Fire up Registry Editor and then head to the following key:
将用户限制为仅在注册表中运行某些应用程序的过程与阻止特定应用程序的过程几乎完全相同。 您将再次需要使用要更改的用户帐户登录Windows。 启动注册表编辑器,然后转到以下键:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies
Right-click the Policies key, choose New > Key, and then name the new key Explorer .
右键单击“ Policies密钥,选择“新建”>“密钥”,然后将新密钥命名为Explorer 。
Next you’re going to create a value inside the new Explorer key. Right-click the Explorer key and choose New > DWORD (32-bit) value. Name the new value RestrictRun .
接下来,您将在新的Explorer键中创建一个值。 右键单击Explorer键,然后选择“新建”>“ DWORD(32位)”值。 将新值命名为RestrictRun 。
Double-click the new RestrictRun value to open its properties dialog. Change the value from 0 to 1 in the “Value data” box and then click “OK.”
双击新的RestrictRun值以打开其属性对话框。 在“数值数据”框中将值从0更改为1,然后单击“确定”。
Back in the main Registry Editor window, you’re now going to create a new subkey inside the Explorer key. Right-click the Explorer key and choose New > Key. Name the new key RestrictRun , just like the value you already created.
回到“注册表编辑器”主窗口,现在您将在“ Explorer项中创建一个新的子项。 右键单击Explorer键,然后选择“新建”>“键”。 将新键命名为RestrictRun ,就像您已经创建的值一样。
Now, you’ll add apps to which the user is allowed access. Create a new string value inside the RestrictRun key for each app you want to block. Right-click the RestrictRun value and then choose New > String Value. You’ll be naming these values with simple numbers, so name the first value you create “1.”
现在,您将添加允许用户访问的应用程序。 在您要阻止的每个应用程序的RestrictRun键内创建一个新的字符串值。 右键单击RestrictRun值,然后选择“新建”>“字符串值”。 您将使用简单数字命名这些值,因此将创建的第一个值命名为“ 1”。
Double-click the new value to open its property dialog, type the name of the executable you want to block into the “Value data” box (e.g., notepad.exe ), and then click “OK.”
双击新值以打开其属性对话框,在“值数据”框中键入要阻止的可执行文件的名称(例如notepad.exe ),然后单击“确定”。
Repeat this process, naming the values “2,” “3,” and so on, and then adding the executable file names you want the user to be able to run to each value.
重复此过程,命名值“ 2”,“ 3”,依此类推,然后将希望用户能够运行的可执行文件名称添加到每个值。
When you’re done, restart Windows, log into that user account again, and test your settings. You should only be able to run apps to which you explicitly allowed access. You’ll need to repeat the process with each user account for which you want to restrict apps or create your own Registry hack you can use to apply settings to each user more quickly.
完成后,重新启动Windows,再次登录该用户帐户,然后测试您的设置。 您应该只能运行您明确允许访问的应用程序。 您需要对要限制应用程序的每个用户帐户重复此过程,或者创建自己的注册表黑客,您可以用来更快地将设置应用于每个用户。
To reverse your changes, you can delete the Explorer key you created (along with the RestrictRun subkey and all values) or you can set that RestrictRun value you created back to 0, turning off restricted access.
要撤消更改,可以删除创建的Explorer键(以及RestrictRun子键和所有值),也可以将创建的RestrictRun值重新设置为0,以关闭受限访问。
专业版和企业版用户:使用本地组策略编辑器阻止或限制应用 (Pro and Enterprise Users: Block or Restrict Apps with the Local Group Policy Editor)
If you use the Pro or Enterprise version of Windows, blocking or restricting apps can be a little easier because you can use the Local Group Policy Editor to do the job. One big advantage is that you can apply policy settings to other users–or even groups of users–without having to log in as each user to make the changes the way you do when making these changes with Registry Editor.
如果您使用Windows的Pro或Enterprise版本,则阻止或限制应用程序会更容易一些,因为您可以使用本地组策略编辑器来完成此工作。 一个很大的优点是,您可以将策略设置应用于其他用户甚至用户组,而不必像使用注册表编辑器进行更改那样以每个用户身份登录进行更改。
The caveat here is that you’ll need to do a little extra setup by first creating a policy object for those users. You can read all about that in our guide to applying local Group Policy tweaks to specific users. You should also be aware that group policy is a pretty powerful tool, so it’s worth taking some time to learn what it can do. Also, if you’re on a company network, do everyone a favor and check with your admin first. If your work computer is part of a domain, it’s also likely that it’s part of a domain group policy that will supersede the local group policy, anyway.
需要注意的是,首先需要为这些用户创建策略对象,您需要做一些额外的设置。 您可以在将本地组策略调整应用于特定用户的指南中阅读所有相关内容。 您还应该意识到,组策略是一个非常强大的工具,因此值得花一些时间来学习它可以做什么 。 另外,如果您在公司网络中,请给所有人一个帮助,并首先与您的管理员联系。 如果您的工作计算机是域的一部分,则它也很可能是域组策略的一部分,无论如何,该组策略将取代本地组策略。
The process for allowing or restricting apps with the Local Group Policy Editor is almost identical, so we’re going to show you how to restrict users to only running certain apps here and just point out the differences. Start by finding the MSC file you created for controlling policies for those particular users. Double-click to open it and allow it to make changes to your PC. In this example, we’re using one we created for applying policy to all non-administrative user accounts.
使用“本地组策略编辑器”允许或限制应用程序的过程几乎相同,因此我们将向您展示如何限制用户仅在此处运行某些应用程序,并指出不同之处。 首先找到您创建的用于控制那些特定用户的策略的MSC文件。 双击打开它,并允许它对您的PC进行更改。 在此示例中,我们使用创建的策略将策略应用于所有非管理用户帐户。
In the Group Policy window for those users, on the left-hand side, drill down to User Configuration > Administrative Templates > System. On the right, find the “Run only specified Windows applications” setting and double-click it to open its properties dialog. If you want to block specific applications rather than restricting them, you would open the “Don’t run specified Windows applications” setting instead.
在这些用户的“组策略”窗口的左侧,深入到“用户配置”>“管理模板”>“系统”。 在右侧,找到“仅运行指定的Windows应用程序”设置,然后双击它以打开其属性对话框。 如果要阻止特定的应用程序而不是限制它们,则可以打开“不要运行指定的Windows应用程序”设置。
In the properties window that opens, click the “Enabled” option and then click the “Show” button.
在打开的属性窗口中,单击“启用”选项,然后单击“显示”按钮。
In the “Show Contents” window, click each line in the list and type the name of the excecutable you want users to be able to run (or the name of apps you want to block if that’s what you’re doing instead). When you’re done building your list, click “OK.”
在“显示目录”窗口中,单击列表中的每一行,然后键入您希望用户能够运行的可执行文件的名称(如果您要这样做,则键入您要阻止的应用程序的名称)。 创建完列表后,单击“确定”。
You can now exit the Local Group Policy window. To test your changes, sign in with one of the affected user accounts and try to launch an app to which the user should not have access. Instead of launching the app, you should see an error message.
现在,您可以退出“本地组策略”窗口。 要测试您的更改,请使用一个受影响的用户帐户登录,然后尝试启动该用户不具有访问权限的应用程序。 而不是启动该应用程序,您应该看到一条错误消息。
If you want to disable your changes, just head back into the Local Group Policy editor by double-clicking your MSC file again. This time, change the “Run only specified Windows applications” or “Don’t run specified Windows applications” options to “Disabled” or “Not Configured.” This will turn the setting off entirely. It will also reset your list of apps, so if you want to turn it on again, you’ll need to retype that list.
如果要禁用更改,只需再次双击MSC文件,回到本地组策略编辑器。 这次,将“仅运行指定的Windows应用程序”或“不运行指定的Windows应用程序”选项更改为“已禁用”或“未配置”。 这将完全关闭设置。 它还会重置您的应用列表,因此,如果您想再次打开它,则需要重新输入该列表。
翻译自: https://www.howtogeek.com/howto/8739/restrict-users-to-run-only-specified-programs-in-windows-7/
664
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
