For those of us who apply SRP and enforce those rules for ALL USERS EXCEPT ADMIN and want to deny basic users (unelevated) to run bat and cmd files when running as a user belonging to the admin group in UAC protected folders. Even when you have set a DISABLED (deny run) policy for CMD.EXE you will notice that it is always possible to execute bat and cmd files. Save the test.txt as test1.bat and test2.cmd and place them somewhere in Program Files directory. Test.bat/cmd will run despite the deny execute policy Two text files for CMD and BAT, save them as .reg files - RunAS_ADMIN_xxx makes sure cmd.exe is blocked when running unelevated, assign run as admin - Defiault_xxx (where xxx = BAT or CMD) sets the values back to default. Regards Kees NB1. SRP works outside Windows and Program Files folders, this tweak is just changing shell access to add a speed bump / threshold for exploits. NB2. Link to open source SRP (credits to Mr.Brian finding it) http://sourceforge.net/projects/softwarepolicy/files/