Motivated initially by this article, there doesn't seem to be any reason to leave 16-bit execution enabled at all, but particularly on my DMZ, where anything that shrinks the attack surface just makes my day happier.
Disabling this is a snap in group policy – Computer Configuration/Policies/Administrative Templates/Windows Components/Application Compatibility/Prevent access to 16-bit applications
However, does anybody know where to find this in a non-domain joined computer, with only Local Security Settings? Or elsewhere?
Best Answer
You can set this setting "manually" by adding a REG_DWORD value named "VDMDisallowed", set to "1", at "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat". I'd just script using the REG command to set it: