There are several settings that can allow access to items not in a users Workgroup approved items. First, the Administrator has the option to allow applications to be opened by other applications (sub-launched), on a per application basis. This option is accessed by choosing Application Preferences from the Configuration menu. For the sake of tighter security, the default setting is to not allow applications to be sub-launched.
If an Administrator sets the option to allow sub-launching of an application, then that application can be opened from the Restricted Finder. Macintosh Manager does not see this situation as a security risk and allows it to happen.
To work around this, simply disable the "Allow this Application to be opened by other Applications" option for all applications that you do not want users to be able to access. The application will show up in Application Preferences once it has been added to any workgroup.
To enable helper applications for something such as a web browser without granting access to the helper application itself, enable the "Applications can open other applications, such as helper applications" option in the Security tab of the Computers tab. This setting does not apply to the shell application (Finder or Panels) so it will not override the approved application settings for the workgroup. Finder and Restricted Finder are environments where the Finder is shell application and the Panels environment has Panels as its shell application.
A user will also be able to launch non-approved items in the following situations:
- The application or an alias to the application is in the Apple menu and the workgroup has access to other items in the Apple menu. This is set in the Apple Menu section of the Privileges tab of the Workgroups tab.
- The application or an alias to the application is in the Control Panels folder and the workgroup has access to Control Panels. This setting is also in the Apple Menu section mentioned above.
- The application or an alias to the application is in the Startup or Shutdown Items folder and the workgroup can open items in this folder. This setting is in the Options tab of the Workgroups tab.
Note: The checkbox is labeled Startup Items but pertains to both folders. - The workgroup is set for "members can open any items on local volumes." If this is set any member of the workgroup can launch any application on a local volume. This setting is in the Items tab of the Workgroups tab. Local volumes do not include AppleShare, CD-ROM, or removable media (such as floppy or Zip) volumes.
- If access to all CD-ROMs in the Computers: Security Tab is allowed, all items on all CD-ROM disks are available to all users. The Removable Media setting in the Workgroup: Privileges Tab only affects removable media which can be accessed in the Finder such as Zip disks and floppy disks.
- The workgroup has an approved document created by a non-approved application. This can be done by dragging a document into the approved items list. Approving a document will automatically approve the creator application. Removing the document from the approved items list will also remove approval for the application, if the application and other documents are not approved.