Prevent your users from running potentially dangerous applications.

Keeping users from running certain applications isn’t so important when you’re an administrator using your own workstation. But when you’re dealing with regular users in an enterprise network environment, you don’t want your users running any nefarious programs. Such programs include those that can break their operating system installation, introduce security holes to their system, or even attack other machines on your network.

There are a couple ways to restrict the applications available to your users. First you can modify the ACLs for a particular program so that users cannot execute it. For example, suppose you have a sniffer installed on a user’s machine for network diagnostic purposes. Access to this program is fine for an administrator, but probably is not appropriate for a normal user. You can prevent normal users from running the program by removing execution permissions for the Users group. To do this, locate the program’s executable file and right-click it. Now click the Properties menu item, and you should see a dialog box like the one shown in Figure 2-9.

Figure 2-9. Properties dialog for ethereal.exe, the Ethernet sniffer

Now click on the Security tab and select the Users group from the list at the top of the dialog. You should now see something similar to Figure ...