Advice on restricting executables in Home Premium for standard user

As most are aware, gpedit is not available in Win7 Home Premium. I've tried a "hack" to install it, then set up an SRP, which others seem to have had success with, but I have not. It installs and runs but does not restrict executable from running.
Similarly, I tried PGS, which is really for Vista, not WIn 7. It does a better job, but has problems. i.e. I can't run batch files, and even adding a path rule does not solve the problem. I also had services which did not run after setting it up, so it is out also.

It seemed to me that I could go and restrict access to executables on most directories/disks, but I know little of windows 7 file permissions and they intentionally seem to make little sense. For example, why do you need a "read and execute" permission and also a "read" permission? Why not a "read" and separate "execute"? Also, if you click off the "read and execute", you lose "modify"?? I'm used to linux which makes sense to me.

So my question really boils down to the following.
Is there any way I can restrict execution to a few directories and executables without screwing up other permissions? I WANT to run as a standard user, not as an administrator, and still be able to modify files outside of restricted areas without being able to execute them.


As far as I'm concerned, Microsoft really dropped the ball from a security perspective when they failed to include this kind of option in home premium and basic. Such a simple way to limit threats, and they expect home users to pay extra for it. But they give away MSE, which HAS to cost them a lot more to maintain.

 

Back in the Windows 2000 days I tried to configure NTFS file permissions for that same purpose. I do not think I ever was fully successful, but then with XP and SRP, I quit trying with NTFS. You would think there could be a way to configure that, and I thought I heard years ago, somewhere, that somebody did successfully configure the NTFS permissions to deny execute and allow modify in certain directories.

 

tried parental controls?

 

I turned on Parental Controls briefly. Of course the first 2 things I tried had issues. Not terrible ones.
The media browser plugin for MC complains that there are restrictions and I have to turn Parental Controls off to remove them, but seems to play things ok.
Cygwin Terminal complains about some exe not having access but seems to run fine. The path to that exe starts //?/c/... so something in an initialization file probably.

I will continue to look into it, but it looks like parental controls boils down to having to whitelist anything you want to run. So you have to update Parental Controls after every installation of new software. Kind of a PITA. I'm partly looking into this so I can enhance the security of my mother's PC. Programs nearly never get installed there, so that won't be a problem, but it will be nice to know she can't get into too much trouble clicking on links to executables sent by her friends. Her friends just don't seem to understand that they shouldn't do this. She doesn't understand she should check those links out before clicking on them.

 

As long as you do not change permissions of Windows, Program Files.

For download use EVERYONE

For other user directories use USERS (with ADMIN still possible to execute/install)

I renamed my temp diectory (in C:\Users\[YOUR USER NAME]\AppData\Local\Temp) to Install directory (most installers expand their executables/msi packages). I allowed Users to execute from this directory and added the 1806 trick (but you have to use chrome or IE) to close this "gap"

1806 trick https://www.wilderssecurity.com/attachment.php?attachmentid=230194&d=1320925887