STOPPING PROGRAM INSTALLS AND BLOCKING CERTAIN SITES
Ok guys, her is my issue...
I have 3 computers running windows xp that I have in my business (T-Mobile phone store). My employees are on those computers on a regular basis and pretty much do all their work online. I'm not at the location most of the day so I can't monitor what sites are being visited and what programs are being installed but there is a strict policy against that. Of course since I am not at the location most of the day, plus I don't really have the time, I cant figure out what sites were visited or what programs were installed and which employee caused the issue.
I do know that when I do my regular anti-virus check up once a week, I do find tons of tracing cookies and ad ware/viruses here and there. I do know that the performance of the PC usually slows down and I believe this is because of the viruses.
Instead of trying to go back and forth and trying to figure this out. I need a way in windows xp where I can stop my employees from downloading and installing all the programs (bear share, lime wire, poker stars and god knows what else) that are going to keep them from their work and introduce security threats to the business computers. I also need to block certain sites like myspace.com and facebook.com from the browsers as well.
I was told that creating a "limited" status account in XP should be able to stop this but I tried and it still lets me install programs without any issues.
Please give me your best advice on the situation above.
Thanks much in advance guys. I hope you guys can help me with a solution to this problem as it has become a serious time/money consuming issue.
Good luck and take care
Jamal
I have 3 computers running windows xp that I have in my business (T-Mobile phone store). My employees are on those computers on a regular basis and pretty much do all their work online. I'm not at the location most of the day so I can't monitor what sites are being visited and what programs are being installed but there is a strict policy against that. Of course since I am not at the location most of the day, plus I don't really have the time, I cant figure out what sites were visited or what programs were installed and which employee caused the issue.
I do know that when I do my regular anti-virus check up once a week, I do find tons of tracing cookies and ad ware/viruses here and there. I do know that the performance of the PC usually slows down and I believe this is because of the viruses.
Instead of trying to go back and forth and trying to figure this out. I need a way in windows xp where I can stop my employees from downloading and installing all the programs (bear share, lime wire, poker stars and god knows what else) that are going to keep them from their work and introduce security threats to the business computers. I also need to block certain sites like myspace.com and facebook.com from the browsers as well.
I was told that creating a "limited" status account in XP should be able to stop this but I tried and it still lets me install programs without any issues.
Please give me your best advice on the situation above.
Thanks much in advance guys. I hope you guys can help me with a solution to this problem as it has become a serious time/money consuming issue.
Good luck and take care
Jamal
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
hey guys, thanks for all your help.
Tolomir: - i already got zone alarm and will try it out. also the PREVX 2.0 program.
benhanson - Do you think you can supply me with some links that easier instructions than the Microsoft link. Tha one is way to complex and confusing for someone with my computer knowledge.
myin68: - i found this def stopped the program install. thanks, going to try zone alarm for stopping the sites. thanks
Tolomir: - i already got zone alarm and will try it out. also the PREVX 2.0 program.
benhanson - Do you think you can supply me with some links that easier instructions than the Microsoft link. Tha one is way to complex and confusing for someone with my computer knowledge.
myin68: - i found this def stopped the program install. thanks, going to try zone alarm for stopping the sites. thanks
Would you be trying to apply a group policy via active directory, or trying to create a Software Restriction Policy on each PC?
ASKER
"Would you be trying to apply a group policy via active directory, or trying to create a Software Restriction Policy on each PC?"
I don't really have any programs that I use under admin that I don't want my employees using so I don't really need software restriction.
I'm not sure what you mean by group policy via active directory, but im assuming thats what i need.
I basically have two accounts... a admin account and employee account and the employee account is a limited account under windows XP. I want the employee account to not be able to go to certain sites (myspace.com) but I don't want it to be blocked in the admin account. I would also like it if the employee account could not install any programs.
let me know what you think is best. thanks.
I don't really have any programs that I use under admin that I don't want my employees using so I don't really need software restriction.
I'm not sure what you mean by group policy via active directory, but im assuming thats what i need.
I basically have two accounts... a admin account and employee account and the employee account is a limited account under windows XP. I want the employee account to not be able to go to certain sites (myspace.com) but I don't want it to be blocked in the admin account. I would also like it if the employee account could not install any programs.
let me know what you think is best. thanks.
It's the last statement that you made, "I would also like it if the employee account could not install any programs", that I keep keying in on. Generally a restricted account can still execute any application that doesn't:
1. modify system files
2. modify registry keys outside of HKEY_CURRENT_USER
3. modify other files it doesn't have permission to.
So to keep people from downloading standalone apps that don't violate the above rules, you have to actively block everything, then specifically allow the apps you want to run. It should be noted that many developers take special care to make sure there apps will still run under restricted user accounts, specifically because it is becoming more and more recommended that users not run as admin.
1. modify system files
2. modify registry keys outside of HKEY_CURRENT_USER
3. modify other files it doesn't have permission to.
So to keep people from downloading standalone apps that don't violate the above rules, you have to actively block everything, then specifically allow the apps you want to run. It should be noted that many developers take special care to make sure there apps will still run under restricted user accounts, specifically because it is becoming more and more recommended that users not run as admin.
ASKER
Ben, I know exactly what you mean now.
Instead of having a restricted account and going through the trouble of disabling all and then any allowing a few programs, do you think its better i just have a guest account for the employee. From what i was told about the guest account, it stops ANY and ALL installs.
let me know what you think please.
thanks
Instead of having a restricted account and going through the trouble of disabling all and then any allowing a few programs, do you think its better i just have a guest account for the employee. From what i was told about the guest account, it stops ANY and ALL installs.
let me know what you think please.
thanks
ASKER
any thoughts on my last comment ben?
You have to test if they are still able to create & safe documents... (I mean it depends on their work)
prevx useful:
PREVX 2.0 is the most powerful security solution in the World.It safeguards your PC and personal information from theft and attack by Spyware, Rootkits, Trojans, Viruses, Bots, Adware and all other forms of Malware and Crimeware.
http://www.prevx.com/
I use it besides zonealarm as a second opinion on programs I download from the internet, before they can start it checks them against an internet database for being possible malware, then quarantining that troublemaker.