Even if you Locked down that desktop and are using RestrictRun, educated users can still gain access to Explorer by inserting an object (Explorer.exe) from a Microsoft Office application.

To prevent this, remove the Read (R) permission (retain the Execute (X) permission) from the Everyone Group. If the file can not be read, they can't insert an object, yet the Execute permission still allows Explorer to function as the shell.

In Explorer, highlight %SystemRoot%\Explorer.exe, right-click, and select Properties / Security / Permissions. Double-click the Everyone Group and clear the Read(R) attribute in the Special Access dialog box. You can also use XCACLS from the

xcacls.exe explorer.exe /t /e /p everyone:x