Skip navigation

JSI Tip 0496 - How can I prevent users from running Explorer.exe?

Even if you Locked down that desktop and are using RestrictRun, educated users can still gain access to Explorer by inserting an object (Explorer.exe) from a Microsoft Office application.

To prevent this, remove the Read (R) permission (retain the Execute (X) permission) from the Everyone Group. If the file can not be read, they can't insert an object, yet the Execute permission still allows Explorer to function as the shell.

In Explorer, highlight %SystemRoot%\Explorer.exe, right-click, and select Properties / Security / Permissions. Double-click the Everyone Group and clear the Read(R) attribute in the Special Access dialog box. You can also use XCACLS from the

xcacls.exe explorer.exe /t /e /p everyone:x
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.