Using Policies to Block Undesirable Apps

In the early days of Windows NT, uninstalling or ripping out certain applications – such as Outlook Express or Internet Explorer – could have unintended and detrimental consequences. They were integrated so tightly into the OS that who knows what else might depend on parts of them.

Since that time, various antitrust rulings from the EU have mandated that certain Windows applications must be uninstallable, or must not come preinstalled. Whether or not Microsoft utilizes the same codebase for both international and domestic versions of Windows, I don’t know. It doesn’t make sense to maintain different versions, but we are talking about Microsoft and for some reason, decades of running Windows has made me paranoid. Having learned my lesson on NT, I tend to leave things intact and deal with them in other ways. Fortunately, there is a solution that is the next best thing to uninstalling an app: permanently disabling it.

While they’re most frequently used to lock down what users can and cannot do, Software Restriction Policies can also be used to lock down what applications want to do.

Aside from being a security hole you could pilot a galaxy through, Outlook Express is a nuisance for other reasons as well. Because it ships standard as the default mail client, it has a tendency to fire up when you do things like hit mailto: links on web pages (which can be cloaked, or which you might not notice) – and with it generally comes the equally lovely Windows Messenger IM client.

Whether or not I have a mail client installed on a machine, part of my standard routine is to lock down Outbreak Outlook Express and the IM client, as well. You can do this for any irritating app. There’s a lovely note of finality to it. Think of it as your own version of the giant Monty Python foot descending from the clouds to lay waste to that which irritates you.

The procedure is painfully simple:

1 Launch the Security Policy snap-in: Start > Run > secpol.msc

2 Expand Software Restriction Policies

2a If you’ve never done this before, expanding the twist box will have no effect. You’ll need to actually click the row header and then you’ll see the following message in the rule window:

2b Following the instructions, go to Action > Create New Policies. At this point, the Software Restriction Policies tree will expand.

3 Right-click the Additional Rules header (or right-click in its window) and select New Path Rule

4 Type the path to the EXE of the app you want to block, or browse to it.

5 Make sure the Security Level is set to Disallowed (this should be the default selection).

Once you hit OK to save the rule, you never have to worry about seeing the app in question again.

In the case of mailto: links, when there is no defined mail client or when that client is explicitly disallowed by a software restriction policy, any clicks that would launch it are silently absorbed.

Should you deliberately try to start an application blocked by a restriction policy, you’ll be treated to a message like this one:

Here are the paths to the applications mentioned above:

Outlook Express:

C:\Program Files\Outlook Express\msimn.exe

Windows Messenger:

C:\Program Files\Messenger\msmsgs.exe