Generally domain controller share is used by a user to store its documents, spread sheets, presentations etc… etc..
If a user is a programmer, then he has to save executable file (*.exe, *.com, *.dll). But we know that files with such extensions are having more chances to get infected by viruses.
For a normal user which is not a programmer there is no need of *.exe *.com *.dll etc.. file in his share, So we can prevent such users to have such file in his share.
This can reduce the risk of viruses at least in the user shares which do not require executable file.
If you wanted to disallow EXE files, COM files, or DLL files, you could have a veto files attribute that looked like this:
Veto files = /*.exe/*.com/*.dll/
This will prevent access to or storage of these types of files and effectively prevent a Samba PDC from spreading most types of Windows worms and viruses. You may want to veto other file types to effectively exclude all of the file extensions that are used by viruses to propagate.
Following is the example for User Share in which we have to disallow such kind of files:
comment = Mike’s Share
path = /home/mike
public = yes
writable = yes
printable = no
valid users = mike @hr
browseable = yes
Veto files = /*.exe/*.com/*.dll/*.sh/*.py/
We see that valid users of the above share are mike & group members of hr group, the share is browse able, the users do not have access or storage permissions to the files with extensions .exe, .com, .dll, .sh, .py