restrict user to use Application,USB,CDROM on standalone workstation

hello everyone in my organization we dont have domain we have workgoup and its on windows 7
they have asked me to restrict users to open certain application and disable USB and cd rom
i tried to do it with gpedit.msc by following these steps

gpedit.msc >computer configuration >security setings >application control >applock under app lock
clicked on executable rule then right click and select new rule > permission deny > file hash > and the selected notepad.exe

one more things i choosed the user name i created and applied on it.

but the notepad gets denied on every user i have even administrator.
same thing happens when i disable USB and cd rom.


is there any way to deny access of the application on a user level and the application or USB/CDROM prompt for the administrator password to use that application or USB/CDROM
please HELP its very urgent.

Try Group Policy approach as described in Local Group Policies - Apply to All Users Except Administrators

GOKAY thanks it worked now i can apply policies on users. i disabled the control panel looked for it in run clicked it and the message i got was contact your administrator that is good, problem one is solved

second problem is deny access of the application on a user level and the application or USB/CDROM prompt for the administrator password to use that application or USB/CDROM . for example i right click on usb or an application run it as administrator give them acceess for a certain time and the the time expires automatically. and i dont need to login physically as an administrator. cause i need to do the same task remotely in different locations

If Group Policy won't work as you want for applications, you can use Parental Controls.
Parental Controls - Setup and Use
See the Related Tutorials at the end for how to allow/block applications.

For USB if Group Policy doesn't cut it, see if any of these mentioned methods work for you - 5 Ways to enable or disable USB Drives or Ports in Windows.

No idea for CD/DVD drives though.

Would running explorer.exe as administrator work when logged in as a locked user?

parental is the last option i have. i was hoping for something better like in active directory a user get prompted or if we right click the application or usb drive and run it as administrator then we can access it, but it seems like there is no way to do it in a standalone OS. lets see what happens when i tell this to my BOSS :)
thank you for your support and help really appreciate it.

Do you have UAC enabled? You can try right click running as admin for programs. But I have no idea if you are supposed to be asked for admin credentials when trying to start a locked device.

just tried UAC it does not have many features all it is doing is showing alerts every time on every single task

Did you have it disabled to start with? The default UAC setting is 1 tick below the top setting, not the top one.

expressions said:

...for example i right click on usb or an application run it as administrator give them access for a certain time and the the time expires automatically. and i dont need to login physically as an administrator. cause i need to do the same task remotely in different locations

That is not going to happen at the application level automatically using Group Policy or Parental Controls.

If I am understanding you correctly...
...you could get a phone call from a user at 9am
...you remote into a the computer being used by that user
...you right-click on an app and select run as admin from the context menu
...you enter the admin credentials
...you end your remote control session
...the user that called you uses the app that you started
...that app automatically ends one* hour after you started the app.

*or some other length of time.