Motivated initially by this article, there doesn't seem to be any reason to leave 16-bit execution enabled at all, but particularly on my DMZ, where anything that shrinks the attack surface just makes my day happier.
Disabling this is a snap in group policy - Computer Configuration/Policies/Administrative Templates/Windows Components/Application Compatibility/Prevent access to 16-bit applications
However, does anybody know where to find this in a non-domain joined computer, with only Local Security Settings? Or elsewhere?
You can set this setting "manually" by adding a REG_DWORD value named "VDMDisallowed", set to "1", at "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppCompat". I'd just script using the REG command to set it:
Tanks for the script, much easier - and quicker - than going through the registry and adding it manually.
Oops, my bad! First time commenting here, didn't see how to reply to the first answer.
Sorry!