Domain Users are able to install applications.

[Wobzo]

I have a network where the newly deplouyed Workstations were tested such that
Domain Users were unable to install anything.
However it has recently happened that one of the so said users installed GE
(Google earth).
I found this to be very concerning as this should not have been possible.
approximately 6+ months ago, I personally tested the ability to install GE as
a user and it was not possible.
They also seemed to be able to install "MySpaceIM". My initial thought was
how was the user able to enter the keys under
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall".
I think this maybe launching the application under "SYSTEM" credentials.
All other local accounts are disabled and users are not members of anything
other than local users group.
What else are people able to run under the "SYSTEM" account?
How can I prevent the users from installing?

 

[Anteaus]

Actually, there is no specific code within Windows that determines "Limited
users cannot install software"

A Limited User is only able to write to the HKCU registry section, and to
disk folders with in his/her own profile, plus a few in All Users. This has
the effect that most setup programs won't work, as they need to write to
"Program Files" and to the HKLM registry.

However, it is perfectly possible to write an installer that works within
these limitations.

One possible fix is to bar the execution of programs from within the user's
profile. This has the added benefit of preventing downloaded programs being
run. BeyondLogic's TrustNoExe does this and is very effective, though not
suitable for every situation. Worth a look anyway.

If the user has access to network shares, then of course they may also be
able to save downloaded programs there, and run them.

 

[Anteaus]

Oh, and an addtional point, have you checked what groups the users are
members-of on the domain-controller's console? If they are members of Domain
Admins, for example, then you have a security-hole you could drive a truck
through. This may not be apparent if you're looking at the local goups.

 

[Lanwench [MVP - Exchange]]

I have a network where the newly deplouyed Workstations were tested
such that Domain Users were unable to install anything.
However it has recently happened that one of the so said users
installed GE (Google earth).
I found this to be very concerning as this should not have been
possible. approximately 6+ months ago, I personally tested the
ability to install GE as a user and it was not possible.
They also seemed to be able to install "MySpaceIM". My initial
thought was how was the user able to enter the keys under
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall".
I think this maybe launching the application under "SYSTEM"
credentials.
All other local accounts are disabled and users are not members of
anything other than local users group.
What else are people able to run under the "SYSTEM" account?
How can I prevent the users from installing?

To add to the other reply -

You can't prevent limited users from installing software entirely, merely
based on their local group membership. As you've just seen, a lot of apps
don't require special permissions to install ...they don't write to the
restricted areas of the registry & file system.

You should look into group policy options to lock down your desktops if this
is a real concern at your company - software restriction can work well
although it can also be dangerous (play with this in a lab before
deploying). Try posting in microsoft.publicwindows.group_policy for more
help.