Preventing the users from installing apps.

I have a General Group policy that applies to all workstations and users. I need to make sure that the users cannot install any application (including the small applications, such as google bar, screen savers, themes...etc). Only the Administrators can install that.

I tried to user "Software Restrictions" and set it to "Disallow" but that leads to prevent the users from running any application. Also, I tried to block Windows Installer and set it to Evaluated, but the problem here is that the users have access to "My Documents" folder, which means they can install the application into My Documents, and run them from there.


any help is much appreciated.
Rami
nammariAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

drtoto82Commented:
i can do two things :
Make a windows policy that HIDES the Add / Remove programs .
Also, deny running the .msi packages .

This will do 90 % of the job.

Test it and tell me if u need more.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nammariAuthor Commented:
Thanks, how I can deny the .msi?
I was thinking to remove "Write and Execute" on C:\ permissins from the users, and give them access only to My Documents, is this a good idea? Or it may impact some applications?
Finally, most of the applications can be installed using .exe files, how I can prevent that? keeping in mind that I cannot revoke the access to run exe files from the users.


Thanks,
0
AnthonyP9618Commented:
Denying the users write and execute on C:\ will more than likely effect installed applications.

Are all your clients Windows XP?  If so, I would look into software restriction policies.  It allows you to set limits on the type of applications that users can run on a system.  For example, you would create a new GPO using SRPs to limit users to only run Microsoft Office products.  As new software pieces are rolled out, they can be added to the "white" list of allowed applications that can be executed.

Here's a pretty good overview on how it works, with a really good example:
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx#E4MAE
0
drtoto82Commented:
The link that anthony provided is very good. It explians exactly how to use group policy to do that job.

I guess you will not need more details.

0
nammariAuthor Commented:
Thank you all, I solved ths issue by preventing the users from Write/Create into C:\ (except for My Documents), and preventing users from running .msi packages. I think that will do it.

It is really hard to create a SRP and starting allowing the exceptions in a workplace with 50+ computers, and different user needs and requirments.

Thank you all.
Rami
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.