If you share a computer and don’t want other users accessing certain applications, there is a new feature in Windows 7 that allows you to block them. Today we take a quick look at restricting what programs other users can access using AppLocker.

如果您共享一台计算机，并且不希望其他用户访问某些应用程序，则Windows 7中有一项新功能可让您阻止它们。 今天，我们快速了解如何限制其他用户可以使用AppLocker访问哪些程序。

Note: AppLocker is only available in Ultimate and Enterprise versions of Windows 7.

注意：AppLocker仅在Windows 7的旗舰版和企业版中可用。

Using AppLocker

使用AppLocker

To access Group Policy Editor and create rules in AppLocker you’ll need to be logged in as Administrator. Click on Start and type gpedit.msc into the search box and hit Enter.

要访问组策略编辑器并在AppLocker中创建规则，您需要以管理员身份登录。 单击“开始”，然后在搜索框中键入gpedit.msc ，然后按Enter。

Under Local Computer Policy go to Computer Configuration \ Windows Settings \ Security Settings \ Application Control Policies \ AppLocker.

在本地计算机策略下，转到计算机配置\ Windows设置\安全设置\应用程序控制策略\ AppLocker。

Now you will see the overall controls for the applications.

现在，您将看到应用程序的整体控件。

Under Configure Rule Enforcement click on the Configure rule enforcement link.

在“配置规则实施”下，单击“配置规则实施”链接。

Now under AppLocker Properties check the boxes next to Configured under Executable rules then click Ok.

现在，在“ AppLocker属性”下，选中“可执行规则”下的“已配置”旁边的框，然后单击“确定”。

Blocking Apps from Running

阻止应用运行

In this scenario, Jack wastes time playing games like Minesweeper and Solitaire when he should be doing his homework, so we are going to block all of the games. After completing the steps above, under the Overview section click on Executable Rules.

在这种情况下，杰克在做功课时会浪费时间玩Minesweeper和Solitaire之类的游戏，因此我们将阻止所有游戏。 完成上述步骤后，在“概述”部分下，单击“可执行规则”。

Since this is your first time accessing AppLocker, there will be no rules listed. Right-click and select Create New Rule…

由于这是您首次访问AppLocker，因此不会列出任何规则。 右键单击并选择“创建新规则”。

This opens up the Create Executable Rules wizard and you can select not to show the introduction screen at start up for the next time you access it.

这将打开“创建可执行规则”向导，您可以选择在下次启动时不显示启动时的介绍屏幕。

Select Permissions under Action select Deny.

在“操作”下选择“权限”，然后选择“拒绝”。

Add the user you want to block, in this case it’s Jack.

添加您要阻止的用户，在这种情况下为杰克。

After you’ve selected the deny action and selected the user continue to the next step.

选择了拒绝操作并选择了用户之后，继续进行下一步。

In Conditions you can select from Publisher, Path or File hash. We don’t want Jack to have access to any of the games. so we will select Path.

在条件中，可以从发布者，路径或文件哈希中选择。 我们不希望杰克访问任何游戏。 因此我们将选择路径。

Click on Browse Folders and select the Microsoft Games folder.

单击浏览文件夹，然后选择Microsoft游戏文件夹。

In the next screen you could add Exceptions like allowing certain files, but because we are blocking the entire games directory we’ll skip to the next screen.

在下一个屏幕中，您可以添加允许某些文件之类的例外，但是由于我们阻止了整个游戏目录，因此我们将跳至下一个屏幕。

Here you can add a description to the rule so you can keep track of them is there are several rules configured. When everything looks right click on Create.

您可以在此处为规则添加描述，以便在配置了多个规则的情况下跟踪它们。 一切看起来正确后，单击“创建”。

A message pops up saying default rules haven’t been created yet. It is important to make sure they are created so click Yes to this message.

弹出一条消息，提示尚未创建默认规则。 确保已创建它们很重要，因此单击此消息是。

Now you will see the default rules and the new one you created showing Jack is denied access to the Microsoft Games directory.

现在，您将看到默认规则，并且创建的新规则显示杰克被拒绝访问Microsoft Games目录。

After creating the rule make sure and go into services and make Application Identification is started and that it’s set to automatically start as well otherwise the rules won’t work. By default this service is not started so you will need to enable it.

创建规则后，请确保进入服务并启动“应用程序标识” ，并且将其设置为也自动启动，否则规则将不起作用。 默认情况下，此服务未启动，因此您需要启用它。

Now, when Jack logs into his user account and tries to access the games he will only see the following message. Only an Administrator can go in and change the rule.

现在，当杰克登录到他的用户帐户并尝试访问游戏时，他只会看到以下消息。 只有管​​理员可以进入并更改规则。

Conclusion

结论

Use caution when configuring the rules and only start the Application Identity service after everything looks right. Otherwise you have the potential of locking yourself out of all applications including AppLocker.AppLocker is a powerful feature included in Windows 7 and we showed you a basic rule so you can get an idea of how it works. In the future we’ll take a look at more complex tasks to accomplish and gain tight control over what programs each user is able to access.

配置规则时请小心，只有在一切看起来正确之后才启动Application Identity Service。 否则，您有可能将自己锁定在包括AppLocker在内的所有应用程序之外。AppLocker是Windows 7中包含的一项强大功能，我们向您展示了一条基本规则，以便您可以了解其工作原理。 将来，我们将研究更复杂的任务，以完成并严格控制每个用户可以访问的程序。

翻译自: https://www.howtogeek.com/howto/6317/block-users-from-using-certain-applications-with-applocker/