Need to block downloads & installs from internet

Posted on 2005-03-14
Medium Priority
Last Modified: 2013-12-04
We're running Windows 2000 Server, clients are all XP or 2000.  Some users are downloading games, screensavers, etc from internet, even ones who are in the restricted users group, and their IE settings are at highest security level.  We're moving users from IE to Firefox to try to control popups and malware.
(1)How do I set the domain policy so that only users with domain admin or power user rights can download files from internet and install them?  
(2)Will this stop spyware and other stuff from installing itself in the background?

Question by:maharlika
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 38

Accepted Solution

Rich Rumble earned 440 total points
ID: 13536647
If the users are in the "users group" on their local machines, they cannot install (or shouldn't be able to) programs. But that only holds true for programs that want/need to access the registry for additions or modifications and or register plugins or dlls with the OS. Programs that are standalone, and require no real modification to the os, or do not require files to "be installed" in the normal sense we think of when we say "install".  If they are able to do this, the perhaps they are listed in the power user's group, or admins' as well of thier local machines. This can also happen if you've upgraded the OS from let's say win2k to xp, and they were admin's previously on their machines.

Here is how to set an AD policy to deny them the ability to download certain file extensions.
http://support.microsoft.com/?kbid=271135 (just in case)

basically- open group policy manager
expand computer configuration >> windows settings >>
security settings >> software restrictions

If your users are able to install software that modifies the registry, and or add's program files outside their profile... then they have something giving them this right...

users in the "users group" should have less spy-ware, but it's not much. FireFox is a good choice to help. be sure they know why your moving to firefox, and what to do if a page doesn't render properly. We like to use a vbe file (an encoded vbs file) to launch IE as the local guest user (actually is a user in the guest's group)

Read this site for the vbs file and how to convert it to vbe.


LVL 24

Assisted Solution

SunBow earned 440 total points
ID: 13538753
a) make a rule, no downloading
b) anyone who demonstrates desires to break rules cna be released to go practise where it is more acceptable

>  only users with domain admin
Don't let others write to the disk either, or the registry.

> )Will this stop spyware and other stuff from installing itself

Nope. Why do you think they proliferate so much when we (most of us) really do not want them?  
Many use stolen credit card info to reimburse their sites, so a good idea to deter them is to enforce privacy, do not let otheres make private information available, and warn users about the misuses that others may seek when simply sneeking to see their internet identity or ID to proliferate malware.  Users who download can esily become zombies, unless they already are zombies.

Featured Post

New benefit for Premium Members - Upgrade now!

Ready to get started with anonymous questions today? It's easy! Learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses
Course of the Month8 days, 6 hours left to enroll

766 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question