Locking down application access in Windows NT: the administrator wants users to run only approved programs. Which action best achieves this using mandatory user profiles and shell restrictions?

Introduction / Context:
In classic Windows NT environments, administrators often used mandatory profiles and shell restrictions (Program Manager/Explorer policies) to limit what users could execute. The goal is to provide only approved applications and block ad-hoc execution mechanisms like the Run dialog or file browsing tools that expose arbitrary executables.

Given Data / Assumptions:

• Mandatory profiles enforce read-only, centrally defined settings at logon.
• Disabling the Run command removes a common path to launch unauthorized executables.
• Removing File Manager (or restricting Explorer) limits file-system browsing for .EXE files.
• We want a maintainable approach without heavy per-file ACL micromanagement.

Concept / Approach:
A mandatory profile combined with shell restrictions targets the user interface entry points to unwanted software. This approach is scalable and minimizes administrative overhead. While NTFS permissions are important, a blanket “Deny All” is risky and brittle. Deleting system executables is unsupported and may break administrative workflows or updates.

Step-by-Step Solution:

Verification / Alternative check:
After applying, users should only see sanctioned program groups and no Run dialog; attempts to browse to executables should be blocked by UI restrictions and NTFS where appropriate.

Why Other Options Are Wrong:

Common Pitfalls:
Relying solely on UI restrictions without NTFS; forgetting to store the profile on a resilient share; not testing with a non-admin user.

Final Answer:
Create a mandatory user profile that disables the Run command; assign it to all users and remove File Manager from the Main group.