Users can save large amount of data directly in their Desktop folder

Version 1

    Problem

    When using the Microsoft Windows shell within RES Workspace Manager, users can save files directly on their desktop. If users save large files, their profile will increase in size and due to the behavior of  RES Workspace Manager, the files will also be stored in the ' Desktop.RES'  folder.


    Cause

    With all Microsoft Windows versions, users will be able to save files directly into their Desktop folder. RES Workspace Manager copies this folder to ' Desktop.RES'  during logon to ensure every item on the desktop is managed by RES Workspace Manager. If the Desktop folder contains large files, the required storage space will be doubled.


    Solution

    Use Security Management to prevent users from saving large files to their Desktop folder. 
     
    Redirect the %USERPROFILE%\Desktop to a location outside the %USERPROFILE% path to prevent unnecessary AppGuard blocks, for example redirect the %USERPROFILE%\Desktop to H:\Desktop
    Configure the following rule at Security > Data > Files and Folders:
     
             Type:                        Folder
             Blocked resource:     H:\Desktop\*
             Deselect "Learning Mode"
             Deselect "Silent Mode"
     
    This rule will prevent users from saving files to their desktop.
     
    If special file types are allowed, Global Authorized Files can be used to create exceptions, for example: 
    At Security > Authorized Files:
     
             Authorized files (Path):   H:\Desktop\*.lnk
             Allow only this specific process to launch or access this file: explorer.exe
             Authorized operation:     Read; Execute; Modify
     
    For Microsoft Windows 7 and Microsoft Windows Server 2008R2 additional rules are needed to delete / change / add shortcuts.
     
             Authorized files (Path):   H:\Desktop\desktop.ini
             Allow only this specific process to launch or access this file: explorer.exe
             Authorized operation:     Read; Execute; Modify
     
             Authorized files (Path):   H:\Desktop\thumbs.db
             Allow only this specific process to launch or access this file: explorer.exe
             Authorized operation:     Read; Execute; Modify
     
             Authorized files (Path):   *recycle.bin*
             Allow only this specific process to launch or access this file: explorer.exe
             Authorized operation:     Read; Execute; Modify
     
    If only specific users need exceptions, create an empty application with these rules and grant these users access to it.
     
    NOTE: Some applications (such as Internet Explorer) can generate unwanted AppGuard messages when they search for DLL`s, because they also look at the Desktop folder, even if these files are not stored at this location. If this happens, create a global AppGuard Rule or a more specific rule at Application level as desired:
     
             Authorized files (Path):   H:\Desktop\*
             Allow any process to launch or access this file
             Authorized operation:     Read; Execute 
     
    (Wildcards can be used in the file path to fine-tune the rule with only a specific file type)
     
    This rule allows the application to check if the file exists, but the Files and Folders rule always will prevent write access. So the setup is secure.