Go to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Software Restriction Policies and right click it to open a menu where you choose New Software Restriction Policies.

Open Additional Rules and right click it to create a New Path Rule.

Import the rules that are listed below.

Block executable in %AppData%:

  • Path:
    %AppData%\*.exe
  • Security Level:
    Disallowed

Block executable in %LocalAppData%:

  • Path if using Windows XP:
    %UserProfile%\Local Settings\*.exe
  • Path if using Windows Vista/7/8:
    %LocalAppData%\*.exe
  • Security Level:
    Disallowed

Block executable in %AppData% subfolders:

  • Path:
    %AppData%\*\*.exe
  • Security Level:
    Disallowed

Block executable in %LocalAppData% subfolders:

  • Path if using Windows XP:
    %UserProfile%\Local Settings\*\*.exe
  • Path if using Windows Vista/7/8:
    %LocalAppData%\*\*.exe
  • Security Level:
    Disallowed

Block executables run from archive attachments opened with WinRAR:

  • Path if using Windows XP:
    %UserProfile%\Local Settings\Temp\Rar*\*.exe
  • Path if using Windows Vista/7/8:
    %LocalAppData%\Temp\Rar*\*.exe
  • Security Level:
    Disallowed

Block executables run from archive attachments opened with 7zip:

  • Path if using Windows XP:
    %UserProfile%\Local Settings\Temp\7z*\*.exe
  • Path if using Windows Vista/7/8:
    %LocalAppData%\Temp\7z*\*.exe
  • Security Level:
    Disallowed

Block executables run from archive attachments opened with WinZip:

  • Path if using Windows XP:
    %UserProfile%\Local Settings\Temp\wz*\*.exe
  • Path if using Windows Vista/7/8:
    %LocalAppData%\Temp\wz*\*.exe
  • Security Level:
    Disallowed

Block executables run from archive attachments opened using Windows built-in Zip support:

  • Path if using Windows XP:
    %UserProfile%\Local Settings\Temp\*.zip\*.exe
  • Path if using Windows Vista/7/8:
    %LocalAppData%\Temp\*.zip\*.exe
  • Security Level:
    Disallowed

Now testing the Software Restriction Policies on a client computer (note: if the user is already logged on, you need to relog, a GPUPDATE /force doesn’t work)

Voila, but the user cannot start Teamviewer with those rules what if you want an exception for this or other legitimate software. For this you can make other rules: