If you for instance is using AppLocker in Windows 7 you know that it requires the service “Application identity” to be started for it to enforce the AppLocker rules. This could pose a problem if a user start a machine in safe mode and login there, even a standard user that is. What happens then is that the Application idendity service is not started and the user can then run anything on the machine.
Microsoft has releases a fix for this which allows us to block standard users from logging in into safe mode on our machines. You need both the patch and to add a registry value to make this change but once there your standard users will not be able to bypass AppLocker or any other security features that is not started when starting the machine in safe mode.
Download: A hotfix is available to block standard users from logging on to a Window 7-based or Windows Server 2008 R2-based computer in safe mode