Control access to applications with Appsec.exe
IT pros who want to restrict access to applications might want to consider using the GUI-based tool called Application Security (Appsec.exe) from the Windows 2000 Resource Kit. The tool automatically adds certain applications to the list, including XCOPY, CMD, SUBST, NET, and several others. When you add an application, you specify the absolute path to the application's executable file.
Appsec lets you restrict access to applications, enabling you to control the applications that a given user can run. You can also use Appsec to track application access and let you know when someone runs a restricted application indirectly, such as launching Word by starting a new message in Outlook with Word as the default e-mail editor. This tracking ability can help you identify and close potential loopholes.
Appsec's restriction list applies to the local computer and therefore to all local users. It doesn't discriminate on a per-user or per-group basis. In addition, the restriction list is single-purpose; if an application is on the list, it blocks access for all users. In order to unblock an application, you must remove it from the list.
Appsec doesn't provide a mechanism for disabling security for a specific application on the list, although you can enable and disable security globally. Administrators aren't affected by Appsec and can access all applications regardless of their presence on the restriction list.
Note: Microsoft states in Knowledge Base article Q257980 that the version of Appsec included with the Windows 2000 Resource Kit is missing three files. You can download the complete version of Appsec from
Microsoft's ftp site .