A. I was amazed how many people sent me this question, for several reasons.

  1. I never imagined that many users who had just got shiny new Windows 7 installations were desperate for a Windows XP environment.
  2. If users want a Windows XP environment, they must have some need, such an application that hasn't been taken care of at a corporate level through Microsoft Enterprise Desktop Virtualization (MED-V) or another solution.
  3. If the requirement is to stop them, it means the users are local administrators of their machines (a requirement to install XP Mode, because it's a system update), which is generally not something you see in Windows 7 environments.

Before you worry about how to stop users from installing XP Mode, it's important to understand why they want it. If they have a business need for an application that doesn't run on Windows 7, just stopping them will stop them from doing their jobs (and likely get you in big trouble). If they have a need, address that need in a controlled way, such as using MED-V to manage a corporate Windows XP image or running the legacy application on a Windows Server 2003 Terminal Server.

The easy way to stop users from installing XP Mode is to not make them local administrators, which really should be your goal with Windows 7 deployments. There are very few instances where users need to be local administrators.

If you make users local administrators and still want to stop them from using XP Mode, you need to understand the general rule that if they're local administrators, you really can't stop them from doing what they want on a box—they can work around policies or other methods, so don't expect any block to be unbeatable.

That being said, to stop for the majority of users, I'd use AppLocker or Software Restriction Policies and block the Windows Virtual PC executables. The main executable you want to block is vpc.exe, but there's a full list in this Microsoft blog entry.