Originally posted here by SirDice
I can't help but wonder "Why?"... Why would you prevent users from creating and executing batch files? What's the risk? Or even better.. What are you trying to prevent your users from doing?

So you've prevented cmd.exe.... What about command.com? What about a user that just copies cmd.exe and renames it to mycmd.exe?
say for a simple example, user downloaded netcat (from his home,maybe)
bring it to office on a USB/floppy/CDROM , insert it and start creating a batch
such as

echo "HEAD / HTTP/1.1\n\n" | nc.exe -vv <IP> ( ok i forgot the exact syntax, roughly it's like this for example)

Then he can double click the batch and it will execute.
AFAIK, netcat can be run on a floppy.
anyway, it's just a simple example of what users can do with batch. (even WSH i want to disable in future)

So i don't want users to do that.

BtW, we have XP users and PDC is running on Win2k server

thanks