I have a Windows 7 Ultimate machine with some users with and without administrative privileges. There are confidential batch files and confidential LaTeX packages in some directories in c:\. Only users with administrative privileges are allowed to see those confidential codes. Users without administrative privileges are only allowed to make use of them.
How to prevent non-administrator users from seeing confidential script codes in c:\ while they can still make use of them?
You have two privileges you're trying to control separately:
On a single machine, these two privileges are essentially inseparable: You cannot let someone execute a batch file unless they have read permission on it, and if they have read permission they can always open it up in Notepad or some other text editor.
As Darth Android suggests, to do what you're asking you need to introduce an intermediary between the user and the batch files. This would be a separate computer that is not under the user's control, but the user is allowed to request that the intermediary execute batch files on his behalf.
An analogy is how I perform money transfers with my bank. I need to be able to make these transfers, but if the bank were to give me access to their database so I could transfer the funds myself, that would be quite a security problem, indeed!
Instead, the bank gives me a website I can log in to. Once I log in, I can request that the website perform transfers on my behalf. The website knows that I'm allowed to request money transfers, but it also knows I'm not allowed to see information for accounts I don't own.
