Make files copied into a folder not executable?

Is there a way to make any files got copied into a folder not executable by any user?

The folder is writable, but nothing inside can be executed directly.

Solution 1:

Yes, you can remove the execute permissions from the folder by using advanced permissions.

  1. Right-click on the folder name and choose "Properties".

  2. Click the "Security" tab.

  3. Click the "Advanced" button.

  4. Click the "Change Permissions..." button.

  5. Uncheck "Include inheritable permissions from this object's parent"

  6. A window will appear. Click "Add" to keep the existing permissions. You will edit them in the next steps.

  7. Add or select the user or group that you want to restrict from executing files. If you are selecting an existing group, click the "Edit..." button.

  8. The following window will appear. Uncheck the allow checkbox for "traverse folder / execute file" which I've enclosed in red.

    Screenshot of the Windows advanced permissions setting for a folder object.

According to the Microsoft Technet entry on permissions for files and folders, the "traverse folder / execute file" permission does the following:

For folders: Traverse Folder allows or denies moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. (Applies to folders only.) Traverse folder takes effect only when the group or user is not granted the Bypass traverse checking user right in the Group Policy snap-in. (By default, the Everyone group is given the Bypass traverse checking user right.)

For files: Execute File allows or denies running program files. (Applies to files only).

Setting the Traverse Folder permission on a folder does not automatically set the Execute File permission on all files within that folder.

Solution 2:

This is one of the rare cases where using Deny permissions is actually useful. It may be more convenient to add a deny permission than to change the allow permissions.

You can do this from the command line (on Vista or later) like this:

icacls c:\path\to\my\folder /deny Everyone:(OI)(IO)(X)

You can also do it from the GUI if you prefer. You don't need to turn off "Include inheritable permissions from this object's parent" but I recommend you select the "Apply to files only" option.

Solution 3:

This can be done by carefully crafting the permissions on the parent directory. Specifically you want to not grant "Execute" (grant R, not RX) to anyone, especially the special CREATOR-OWNER user. This will deny Execute to everything.