Hello,
there are a couple of options .
1. You can set up local security and restrict access to run specific applications. To do this, open the Local Security Policy snap-in (secpol.msc, this option can also be used in a domain). There will be a "Software Restriction Policies" section, right click on it and create a new policy. Subsections will appear, you need the "Additional Rules" section. In this section, you need to add rules specifying the path to the file or folder to which access is denied. When creating the rule, in the Security Level field, select Not Allowed. For example, if you specify the path: "%userprofile%\Local Settings\Temp" (masks and environment variables are supported) then the user will not be able to run any program from this folder for execution - he will receive a warning that the launch is limited by security policy. In this case, if the file is moved to another folder, it can be launched. There is another option to add a hash rule. This should protect you from running the file while moving. I note that this mechanism completely ignores user rights and will work equally for both a regular user and an administrator.
2. You can restrict read/run access at the NTFS level for a specific user. To do this, go to the properties of the desired file/folder and simply set the required permissions.
Good luck!

www.oszone.net/3634/#3