Group policy to disable downloads from I. E.

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

What is the best way to keep users from downloading programs from I.E.
I have to keep them as Power users of the pc.
I don't want them to download any programs to their local pcs.
I would love to create a GPO so I don't have to touch a lot of pcs.
Please help.
 
NITBAMA said:
What is the best way to keep users from downloading programs from I.E.
Click to expand...

You probably cannot but you can come close.
Remember that to work, IE must download SOME
files and in doing so any program can be hidden as
something innocuous.

ISA server or another firewall that can filter
on file types and other URL patterns.

You might also try a free proxy such as Privoxy.
(SourceForge.net.)
I have to keep them as Power users of the pc.
I don't want them to download any programs to their local pcs.
I would love to create a GPO so I don't have to touch a lot of pcs.
Please help.
Click to expand...

You cannot really stop this if you allow them to use
the Internet (I don't think) since a program or zip can
be named ANYTHING.

Personally, I rename a particular download on my web
site to "._exe" to HELP my friends avoid such filters.
<grin>

I could make it more obscure (e.g., exe-> .jpg) and
instruct my friends of rename it.

But filtering will stop the largest part of such from
most reputable sites. (Ok, I am reputable so again
it isn't perfect <grin>)
 
As Herb stated, you should look into some sort of Proxy ( such as ISA or
privoxy - thanks, Herb... ) or a Firewall. Your Firewall may already have
this ability or it may be an add-on that you would need to purchase. This
would prevent your users from downloading ( installing is another part of
the process ) any files that have the restricted extension ( such as .exe or
..scr or whatever ). This would be a really good idea. You stop the files
in question before they get to the computer.

In a WIN2000 environment you can make use of the Restricted Software GPO.
However, there is a 'workaround' that your more tech-savvy users will
quickly figure out. They can download the file ( and this is why it is
really important to prevent this from happening in the first place ) and
then simply rename it. If the file has a name of hotbar.exe your users can
simply rename it to hotbar._exe ( to use Herb's suggestion ) and then
install it ( assuming that the application does not need to run under the
context of an Administrator - you stated that your users are members of the
local Power Users group.... ). Not all that great. Now your users think
that they are smarter than you.

In a WIN2003 environment you can really lock this down using the Restricted
Software. The major difference is that instead of using the actual file
name ( hotbar.exe ) the GPO uses a hash. So, even if the file (
hotbar.exe ) is renamed ( to hotbar._exe or hatbor._exe or whatever.exe, for
example ) the GPO does not allow that file to be installed.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Back
Top