In tip 050 we learned that setting the RestrictRun Value in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer key to 1 would allow us to configure allowed programs at the RestrictRun key:
RestrictRun can only works from the Explorer process. It does not prevent users from running programs, such as Task Manager, that are started by the system process or by other processes such as CMD.EXE.
For Windows NT to operate properly, users must be permitted to run Systray.exe and setup.exe (both are in %SystemRoot%\System32).
The value entries in this subkey represent local programs which can appear in any order. The value entries have the following syntax:
Decimal number (starting with 1) of type REG_SZ with a data string which is the name of executable file.
1 REG_SZ setup.exe
2 REG_SZ systray.exe
3 REG_SZ Iexplore.exe
4 REG_SZ JSITTARH.EXE