Group policy to block msn messenger, yahoo, aol, ICQ

The built in policy you see is for disabling the builtin windows messenger...not the instant messenger program.

You run into several problems with this.

You can use software restriction policies to block these particular programs....but this isn't fool proof. Someone can simply rename the .exe file and then run it. So I guess if this would work for you would depend on how computer "savy" your users are.

Also remember that these all have "web" versions and software restriction policies won't stop users from using the web version to still instant message.

If you use software restriction policies...also block trillian and other such programs that combone all of those instant messengers into one.

The other option you have is if you have a firewall is to try to block ports associated with these programs, but this can get very tricky and complicated to effectively do without blocking necessary ports and the fact that these programs  will try very hard to get thru on some open port.

See this thread:

https://www.experts-exchange.com/questions/20610865/Block-MSN-Messenger-and-Yahoo-Messager.html

Also this thread:

https://www.experts-exchange.com/questions/20968914/block-the-use-of-AIM-MSN-Messenger-Yahoo-Instant-Messenger-and-ICQ-by-URL-filtering.html

There is a admin template in group policy on my 2003 server to stop the msn messenger from running.
Can I modify the built in policy of restricting MSN Messenger to include the others??

When you say they can rename the exe are we talking about the install or the exe that is used to run the program??

I go to AD then right click my domain then goto group policy then default doman policy under computer/admintemplates/windowscomponents/windows messenger/ then do not allow to start or run.

When I enable this and do a gpupdate it affects about 99% of my computers correctly and it does not run but on 2 or 3 machines can still IM with it but I can uninstall manually on those two.

This works good enough for me I just wish I could include yahoo and iCQ and AIM to this template somehow.


When I tried to go under users to no allow windows applications to run and gave it , ypager.exe icq.exe aim.exe msmgs.exe and did a gpupdate msn messenger still starter up.

I must be horribly confused about creating and applying group policies to the whole domain.

You are confusing windows messenger with msn messenger. These 2 are NOT the same program. Windows messenger is a built in component of Microsoft Windows....this is not the msn instant messenger program which is downloaded from msn.

There is NO group policy that specifically blocks msn instant messenger......the only way to do this via group policy is to use software restriction policies...and as I stated above...this is not fool proof.

Here is an article on software restriction policies

http://support.microsoft.com/default.aspx?scid=kb;en-us;324036

We use firewalls and a program called WebSense in combination to block these programs, but another easy way, albeit not quite as effective at first, is to make a company rule against it and send a broadcast email in that regard.  At the same time, create your own group policy to prevent running all the .exe's for programs and installers.  Then, run a packet sniffer/logger like ethereal with a script to log AOL, yahoo, MSN etc traffic in a seperate file.  At that point, you will have logged evidence of any use of any of these software programs with date, time, user info, and in most cases even the text of the messages.  The upsides to this type of action are that number 1, you have notified all users that ALL instant messaging software and use thereof is prohibited.  This prevents users from installing jabber, trillion etc and saying "Hey, only yahoo, AOL and MSN are against policy." etc etc, prevent HR lawsuits.  The bigger upside to just telling the users not to and then logging the traffic is that no matter what program or even operating system they use to connect to say AOL Instant messenger, it has to use the same ports and protocols as the original, and thus they are busted.  Even if someone ran Linux and the GAIM client, your packet log would tell on them.  You get the picture...  Like I said, it's not quite as effective at first, because there will always be some users who think they can outsmart you by using a third party client like trillian.  Imagine their surprise when you or their supervisor comes with a log of their conversation and asks them if they have any justified reason for it.  You will see the general attitude of your user population change drastically once a couple of examples are set.

PS - If you go that route, I also recommend blocking all common proxy ports on your firewall.  I've only found it once so far in my 25,000+ user organization since we started running WebSense, but I found a young kid working part time in the architecture department who was a computer geek that had set up a proxy at his home broadband account and changed all his TCP/IP settings so that basically all his traffic went in and out through his home PC.  I would block network settings and MSIE proxy settings in group policy as well.