Solved

Software Restriction

Posted on 2004-04-01
8
2,385 Views
Last Modified: 2013-12-04
I have a Win2k domain running a small network. Attached to the network are WinXP and Win98SE machines. What I am attempting to do is limit a certain group of users by only allowing them to run specific programs (mainly blocking IE). The other groups of user need full access to the system with no restrictions. What is the most efficient way to do this?
0
Comment
Question by:jsmithswi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 12

Accepted Solution

by:
trywaredk earned 250 total points
ID: 10735919
If you are running Active Directory create an Organisational Unit for the certain group of users, and create a group policy for them

Domain Security Policy in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;EN-US;221930

HOW TO: Restrict Users from Running Specific Windows Programs in Windows 2000
http://support.microsoft.com/?kbid=323525

Description of the Software Restriction Policies in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310791

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10735930
How do I use Group Policy to implement Internet Explorer Advanced Settings?
http://www.jsiinc.com/subm/tip6400/rh6403.htm

Internet Explorer Group Policy security settings need some extra help?
http://www.jsiinc.com/subj/tip4800/rh4816.htm

One can restrict the programs that a user can run
http://is-it-true.org/nt/registry/rtips113.shtml
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10735982
If you are not using Active Directory, then add the certain group of users in an global group, and run a loginscript adding a reg-file to them. Be sure, that they are not members of the local admin group.

Internet Explorer Control Panel Restrictions (Part 1)
http://www.winguides.com/registry/display.php/537/

Internet Explorer Control Panel Restrictions (Part 2)
http://www.winguides.com/registry/display.php/797/

Disable Network Messenger Service (Windows NT/2000/XP)
http://www.winguides.com/registry/display.php/1228/

Disable MSN Instant Messenger
http://www.winguides.com/registry/display.php/981/

Disable Run Commands Specified in the Registry - This restriction is used to disable the ability to run startup programs specified in the registry when Windows launches.
http://www.winguides.com/registry/display.php/876/

Disable Registry Editing Tools
http://www.winguides.com/registry/display.php/190/

Disable Command Prompt and Batch Files
http://www.winguides.com/registry/display.php/1143/

Disable the Windows Key (Windows NT/2000/XP) Popular
This tweak disables the Windows key that is found between the Ctrl and Alt keys on a Windows enhanced keyboard.
http://www.winguides.com/registry/display.php/903/

Disable the Windows Hotkeys (All Windows)
This restriction allows you to disable the use of the Windows hotkey combinations that provide shortcuts to the Start Menu and task swapping.
http://www.winguides.com/registry/display.php/549/

Secure Access to Floppy Drives (Windows NT/2000/XP)
This setting determines whether data in the floppy disk drive is accessible to other users.
http://www.winguides.com/registry/display.php/204/

Disable Ability to Skip Startup Programs (Windows NT/2000/XP)
Normally if you hold the Shift key while Windows is loading you can prevent the Startup applications from being launched. This setting disables the ability to by-pass these programs.
http://www.winguides.com/registry/display.php/1056/

Disable CD Burning (Windows XP)
This restriction is used to disable the use of the inbuilt CD recording functions of Windows.
http://www.winguides.com/registry/display.php/979/

Disable File Download in Internet Explorer
http://www.winguides.com/registry/display.php/901/

Disable Internet Access
http://www.winguides.com/registry/display.php/1288/

Disable Control Panel
http://www.winguides.com/registry/display.php/543/

Windows Netmeeting Policies and Restrictions (All Windows)
These restrictions and policies can be used to disable or restrict access to certain features of Windows Netmeeting.
http://www.winguides.com/registry/display.php/636/

MSN Instant Messenger Restrictions (All Windows)
These restrictions are used to disable various features of the Microsoft MSN Instant Messenger client.
http://www.winguides.com/registry/display.php/982/

Automatic Hidden Shares (Windows NT/2000/XP)
When networking has been installed on a Windows machine, it will automatically create hidden shares to the local disk drives. It is possible to disable the sharing at run-time, but this tweak will stop the automatic sharing altogether.
http://www.winguides.com/registry/display.php/4/

Manage the Encrypting File System (Windows 2000/XP)
When you use Encrypting File System (EFS), you can store data securely because selected NTFS file system files and folders can be encrypted. This setting allows you to enable or disable EFS.
http://www.winguides.com/registry/display.php/1152/

Add or Remove Programs Restrictions (Windows 2000/XP)
These restrictions apply to the Add/Remove Programs feature of Control Panel. They allow you to entirely or individually disable components.
http://www.winguides.com/registry/display.php/1041/

Control the CD-ROM Autorun Function (Windows NT/2000/XP) Popular
Normally when you insert a disc into your CD-ROM drive, the contents are automatically launched. This tweak allows you to disable this behavior.
http://www.winguides.com/registry/display.php/6/

Restrict Access to the Windows Update Feature (All Windows)
The Windows Update feature allows users to easily update Windows components and software over the Internet. These settings allow can be used to grant or restrict access to this function.
http://www.winguides.com/registry/display.php/441/

Restrict Task Creation and Deletion (Windows 2000/Me/XP)
These settings allow you to restrict the creation and deletion of items in Task Scheduler.
http://www.winguides.com/registry/display.php/1078/

Prevent Access to the Contents of Selected Drives (Windows 2000/Me/XP)
This restriction prevents users from using My Computer or Explorer to access the content of selected drives. Also, they cannot use Run, Map Network Drive, or the Dir command to view the directories on these drives.
http://www.winguides.com/registry/display.php/1157/

Network Connection Restrictions (Windows 2000/XP)
These restrictions control access to the features and properties of LAN, RAS and other network connections.
http://www.winguides.com/registry/display.php/1047/

Enable Remote Assistance (Windows XP) -  :o) Don't use this setting!!!
The Remote Assistance feature is a convenient way for an administrator to remotely connect to a computer and with permission view the screen, move the mouse, use the keyboard and chat online.
http://www.winguides.com/registry/display.php/1213/

Check for Internet Explorer Updates (All Windows)
Internet Explorer 5 and higher has the ability to automatically check for software updates. This tweak controls that feature.
http://www.winguides.com/registry/display.php/784/

Configure Remote Access Client Account Lockout (Windows 2000/XP) New
You can use the remote access account lockout feature to specify how many times a remote access authentication has to fail against a valid user account before the user is denied access. Use this tweak to set the number of failed logins before the account is locked-out and the time before the lockout is reset.
http://www.winguides.com/registry/display.php/1270/

Hide the Last User Name (All Windows) Popular
This setting can be used to blank the username box on the logon screen. This will prevent people that are logging on from knowing the last user to access the system.
http://www.winguides.com/registry/display.php/1/

Secure Access to Floppy Drives (Windows NT/2000/XP)
This setting determines whether data in the floppy disk drive is accessible to other users.
http://www.winguides.com/registry/display.php/204/

Manage Floppy Access from Recovery Console (Windows 2000/XP) New
If this setting is enabled, a user has full access to all drives on the system and can copy files from the hard drive to the floppy disk when using the Recovery Console.
http://www.winguides.com/registry/display.php/1290/


0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10736149
He said efficient ;) The first post would of been fine tryware.
To stop DL's : http://experts-exchange.com/Security/Q_20876082.html
http://www.winguides.com/registry/display.php/969/
http://support.microsoft.com/?kbid=323525

As stated above, AD can lock down things nicely, and so can registry entries.
-rich
0
 

Author Comment

by:jsmithswi
ID: 10736879
Is it possible to get the GPO settings to work on a Windows 98 machine. It works great on my XP systems, but most of my computers that need the restriction are Win98.  I can accept the reg hack to make it work, but if forcing the policy setting works too, I would rather use it for consistency purposes.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 10738393
No you cannot:
To set registry policies on Windows NT 4.0, and Windows 95 and Windows 98 clients, use the Windows NT 4.0 System Policy Editor tool, Poledit.exe.

That excerpt is from: http://www.microsoft.com/windows2000/techinfo/planning/management/groupsteps.asp
And reitterated here: http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/dsec/dsec_pol_wlpe.asp
 poledit is/was a great tool, but isn't as easy to push as GPO's can be.
-rich
0
 

Author Comment

by:jsmithswi
ID: 10744434
Ok....getting close here.

I have it set so that if you click on the IE shortcut, it will give the error that restrictions are in place and it cannot be run; however, when I click on a link from the favorites menu, it will load IE.

Suggestions?? Comments?? Donations??
0
 

Author Comment

by:jsmithswi
ID: 10805706
Anyone....suggestions....Did I stump everyone??
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question