-----Original Message-----
I just asked the same question under the Active Directory
section and got this reply from:
"Bit Surfer" <
[email protected]>
Man, this is a tough nut to crack.
I don't know of any single "cure all" to this problem, but
I think there are
a few options.
First, what rights do the users have on their machines?
If they haven't
been given elevated local rights on the computer they're
using, they won't
be able to install software. This holds true for most
software, although
I've seen a few applications that were able to be
installed by
non-privledged users. This approach can lead to problems
running certain
applications, although you can get around some of these
problems by applying
the compatws.inf security template.
Another thing you can do is restrict access to drives.
Create an OU with
the users you wish to restrict & lock down access to the
floppy & CD-ROM
drives. This can cut down on problems if people bring
things from home.
If you're like me, my greatest problem came from people
downloading junk on
the Internet. In active directory, you can set a policy
to prevent file
downloads. Obviously, if they don't download it, they
won't install it.
This leads to other problems, though, as it blocks *all*
file downloads -
exe or pdf, it doesn't matter. If you choose to do this,
be ready to do a
lot of downloading for your users, or spend time setting
up "trusted sites".
I think a more eloquent solution to blocking downloads is
to set up a
transparent caching proxy server (say Squid) and allow it
to filter based on
file extension.
.
