Users Cannot Be Prevented From Loading Programs (No One Can Answer)

  • Thread starter Thread starter MarkS
  • Start date Start date
M

MarkS

No one in three Windows newsgroup has replied to this one. I cannot imagine
that it is much of a stumper. Please read below and throw me a bone if you
know something. Thanks.

****************************************************

I have setup our network so that all Win2k and WinXP workstations have their
users (all domain users) logon to the local users group, not power users or
administrators.

I recently discovered that if a user downloads software or puts in a cd,
many programs will allow loading to C:\Documents and Settings\ProfileName.
I understand that this is because NTFS allows a user full access to their
own profile.

What is the best way to allow a user to function normally (yes, a loaded,
undefined term), yet still prevent them from installing software? It would
be easier if some workstation template or easily deployable solution were
involved, rather than going to management and asking them to spend more
money.

Thanks in advance.

Mark Simmerman
Napa, CA
 
MarkS said:
No one in three Windows newsgroup has replied to this one. I cannot imagine
that it is much of a stumper. Please read below and throw me a bone if you
know something. Thanks.

****************************************************

I have setup our network so that all Win2k and WinXP workstations have their
users (all domain users) logon to the local users group, not power users or
administrators.

I recently discovered that if a user downloads software or puts in a cd,
many programs will allow loading to C:\Documents and Settings\ProfileName.
I understand that this is because NTFS allows a user full access to their
own profile.

What is the best way to allow a user to function normally (yes, a loaded,
undefined term), yet still prevent them from installing software? It would
be easier if some workstation template or easily deployable solution were
involved, rather than going to management and asking them to spend more
money.
Click to expand...

I found some interesting thoughts here:

http://x220.win2ktest.com/forum/topic.asp?TOPIC_ID=7740
 
On Windows 2000 you are doing most of what you can do already. You can use Group
Policy /user configuration/administrative templates/system and try to populate the
run only allowed Windows applications or don't run specified Windows application
lists but they can be of limited value if you read the full description and the fact
that users may figure out that if they rename applications they can bypass these
restrictions. I would however add install.exe and setup.exe to the "don't run"
setting. You can also configure web content zones to disable downloading of files
using IE, possibly adding just approved download sites [if any] to the trusted zone
and also use Group Policy/user configuration/administrative templates/Windows
Components/Windows Explorer to hide/disable the cdrom drive from the user [though
they may get access other ways including if they can use the command prompt, which
can also be disabled]. Disabling autorun for the cdrom is also a good idea. You could
try modifying their ntfs permissions on their profile possibly using advanced
permissions to not allow the user to create folders which may inhibit installations
as many create folders , but that may interfere with user functionality.
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525

Windows XP pro is an entirely different story. You can use Software Restriction
Policies to effectively prevent a user from running/installing unauthorized
applications with path/certificate/hash rules. In your case you could create a
"disallowed" path rule to the documents and settings or users folder to prevent them
from what they are doing.Test it out on one computer before rolling it out on your XP
boxes, but I think you will LOVE it and have a lot of surprised users. See the links
below for more information. --- Steve
http://support.microsoft.com/?kbid=310791
http://www.microsoft.com/technet/tr...et/prodtechnol/winxppro/maintain/rstrplcy.asp
 
Back
Top