Steven
Sun Nov 07 22:35:42 CST 2004
You really need to prevent users from being local administrators or power
users which will stop them from installing most applications that need to
write to the program files folder or system folder. Below is a post I made
in the past with some things you may consider. --- Steve
******************************************************************
The best solution is to upgrade to XP Pro and use Software Restriction
Policies which
are very powerful in restricting such via hash, certificate, and path rules.
See the
link below for info on that.
http://support.microsoft.com/?kbid=310791
For W2K it is much more difficult but the following can help. Some
"applications" may
be a single executable file which are almost impossible to prevent.
-- Do not give users rights beyond to belonging in the default users group.
-- Change ntfs permissions on the root/drive folder to be no more that
read/list/execute for users/everyone being sure to check advanced ntfs
permissions
also.
-- Use Local Group Policy [gpedit.msc] to populate the disallowed Windows
applications list in user configuration/administrative templates/system
keeping in
mind that by default local Group Policy applies to ALL users including
administrators
though there a couple work arounds. Be sure to also put command.com,
install.exe and
setup.exe in the list and read the full explanation of the policy setting
and what it
does. You may also want to disable the command prompt and registry editing
while
there, again reading full explanation.
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q293655&
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
-- Consider using ipsec filtering via Local Security Policy or a personal
firewall
that can map rules to applications protected via a MD5 hash to prevent users
from
using unauthorized internet applications if they do somehow install some.
-- Consider modifying the ntfs permissions on the users profile folder to
prevent
them from creating folders. This would have to be done via ntfs
advanced/special
permissions and may interfere with user functionality or may not. The
benefit is that
many applications need to create folders during an installation and that may
prevent
those installations from succeeding. It did work on a test computer of mine.
-- Users can easily become local administrators with free programs if they
can boot
to an alternate device such as cdrom or floppy. Therefore it is recommended
that you
allow only booting from hardrive in cmos and password protect cmos settings
and lock
the computer case to prevent access to the cmos reset jumper or hard drive
removal.
If possible also disable USB in cmos and use registry setting or Group
Policy to
disable auto run for the cdrom. --- Steve
"Todd Flippin" <Todd Flippin@discussions.microsoft.com> wrote in message
news:4C3C3D22-A472-4315-801D-62022620B0EE@microsoft.com...
>I have been trying to figure out a way to keep users from installing
> applications from cd or through the web to a workstation. Everything I
> have
> tried restricts administrators as well. Most of the tips i have tried
> have
> come from winguides.com. It has some helpful informatio but not exactly
> what
> i am looking for.