Magical Group Policy restricts illegal software operation

　　1. Build your own strategy. After you open the Group Policy Editor, expand Computer Configuration/windows Settings/security Settings/software restriction policy, and then click action/Create New policy on the menu bar to create a new policy.

　　2. Block QQ. Expand the new policy, and right-click on other rules to select New hash rule. Click "Browse" in the pop-up window to select QQ.exe, at which point a file hash number will be generated, the system will also read the basic information of the file such as version, company name, etc., "Security level" select "Not Allowed" (Figure 1).

　　Tip: This method can also be used to prevent the operation of known viruses, such as anti-virus software prompted the discovery of the "C:abc.exe" virus (but can not be killed), then you could establish a hash rule for abc.exe to prevent it from running and delete it.

　　3. Download software run I stop. the main use of IE and flashget, the first to set the download folder, and then create a new path rules, so that you can prevent the younger brother to install downloaded software.

　　(1) Prohibit IE download. Run Registry Editor expand in sequence [hkey_userss- 1-5-21-1202660629-854245398-1060284298-500softwaremicrosoftwindowscurrentversioninternet SettingsZones3], and then the right side of the The value of "1803" is changed to "3" (Figure 2), so that IE cannot be used to download files.

　　(2) Set the FlashGet download location. after running click "tools → default Download Properties", set the download saved folder as d:downloads.

　　(3) Establish a restriction rule. Ibid. On "Other rules", right-click to select New path rule, select "D:downloads" as prompted, and "Security level" select "Do not allow".

　　tips: Many software downloads are RAR format, you can also establish Winrar.exe and its default decompression path blocking rules.

　　4. Prevent modification of Group Policy. to prevent the younger brother from knowing that the limit is raised by Group Policy, you can set the Prohibit run Group Policy. Ditto in the Group Policy editing window, expand Local Computer policy → user Configuration → administrative Templates → system, then double-click the "Do not run specified Windows application" in the Right setting window, click "Settings" in the pop-up window, select "Enabled", and "Mmc.exe" Set to a program that is not allowed to run.

Mmc.exe is a policy editor with the system, and cannot be used by other policy editors since it is not running. If you want to run Mmc.exe, you can edit the Group Policy by simply renaming "C:windowsmmc.exe" and then clicking File/Open to open c:windowssystem32gpedit.msc.

After the above settings and restart, the younger brother if you want to run QQ.exe will be rejected by the system, the same if you want to run (or install) d:downloads under the software will also be rejected (see Figure 3). In addition, for programs that set a hash rule limit, the restrictions will not be canceled, either by renaming or by moving the location! The "Do not run the specified Windows application" policy is valid for file names and can be lifted by renaming.