Our company has an application wherein we would like to restrict which programs a regular (i.e. non-administrator) user can access. In effect, we would like to make sure that they only use four or five programs on this computer, making it a fancy front-end interfacer rather than a general-purpose computer.
The tricky part is that we don’t want the Administrator account to have the same restrictions. We tried using group policies, but this crippled both the admin and the non-admin accounts.
You apply permissions at the File level. Take Excel for an example.
You create a global group called Excel Users.
You create a local group called App-Excel
On each machine you right-click Excel.Exe and set the permissions to:
Local Machine ID\Administrators: F(ull)
Local Machine ID\App-Excel: R(ead) (e)X(ecute)
This can be done programatically using cacls.exe
Add the global group to the local group.
Now just add those you want to be able to use Excel to the global group and you’re done.