Hi, I want to restrict users' rights to execute programs on w2k workstations (using NT4 Server). I could set permissions to directories so that users had only read/write access to their contents but not execute. However, the problem comes with roaming profile: Whenever user logs on the profile is copied to Documents and Settings, and w2k sets the profile directory's permissions to full for the user (no rights for other). So, no matter if I had restricted the user from executing programs from any other directory, this seems to be a place where he can do so. How can I set it so that when roaming profile is copied to local hd Windows sets profile directory's permissions only to read/write and such but not to execute. Then again, the owner of this directory seems to be the user himself and therefore he can get full access to this directory, being able to execute any program file wanted that he copies there. I want to prevent this and only let the users execute a few specified programs, how to do so (Poledit's way doesn't work because no paths can be included there).

Uninstall the programs if you don't want users to be able to run them. Why would they need read/write permission to something they can't run in the first place?

My fault, I mean that I want to restrict them from executing any programs of their own, but be able to use one's admins install on workstations. So I want them to be able to save their own stuff to some place on hd and of course they must have write access to their profile folder, but when it comes to executing programs, they would only have access to ones specified by admins.