By definition, a limited User is not supposed to be able to perform administrative tasks which affect all users of the computer. However, they seem to be able to do so anyway with such programs as Task Manager, Regedit, and mmc. I tried to apply deny permissions to such files to non-administrators individually or as user group. This does not accomplish anything because anyone with authority to download or copy a file can put such executable files in a different directory than windows and execute them.I do not know how to set a Group Policy which would provide different permissions to different users because in a workgroup, there is only one Local Group object, and the computer is not part of a domain.Also already Program Files is read-execute only and hidden to non-Administrators.An additional concern is that if a user could do this, also a virus could do so.I want to block both and keep administrative rights for the administrator.1 person needs an answerI do too

Microsoft's SteadyState might be a good fit for you. http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx More on SteadyState - http://aumha.net/viewtopic.php?t=27570 SteadyState support - http://social.microsoft.com/forums/en-US/windowssteadystate/threads/ SteadyState how-to (not supported in Windows 7 yet) - http://www.howtogeek.com/howto/6520/windows-steadystate/MS-MVP - Elephant Boy Computers - Don't Panic!