Solved

Deny all users to install any software

Posted on 2008-10-11
5
876 Views
Last Modified: 2010-04-21
Daer Experts

i'm the IT Person on a company having 40 computers all of them having windows xp, my problem is every body try to install applications,games,etc.
which not allowed in the company. What i want to do is to deny everybody of install a new application or any application only
the administrator should do this, what could be the best solution for this,
i have a Windows SBS 2003 domain controller and active directory running on it, is there a solution per pc , pr per group policy
your urgent answer will be highly appriciated
thanks in advance
0
Comment
Question by:gmerino
5 Comments
 
LVL 2

Expert Comment

by:shhashemi
ID: 22693642
0
 
LVL 3

Accepted Solution

by:
jannepm earned 500 total points
ID: 22693653
Windows XP has this feature,you can either restrict to run only programs you specify, or deny programs which you want, for example utorrent.exe, directconnect.exe, etc.

It is much more effective to restrict all other programs than your chosen ones. Otherwise, you are catching your on tail.

So, deny all other than iexplore.exe, explorer.exe, winword.exe, excel.exe, .. etc what you need to use.
WinXP is also able to calculate the checksums so the trick renaming GameSetupInstaller.exe to Explorer.exe does not work.

Here is a quote from Kelly's:

---
Software Restriction Policies may be set to determine what software may or may not be run by users on the system. (Jim Cavalaris [MS])

Software Restriction Policies can be configured via the group policy editor (gpedit.msc) at:

Local Computer Policy -->Computer Configuration -->Windows Settings -->Security Settings -->Software Restriction Policies.  Policy can be set to either: restrict users from running specified programs - OR -restrict users to allow ONLY the specified programs to be run.

For a non-domain machine, policy can be applied to all users on the system, or non-Admin users only (Admins are not affected by the policy, and may run any/all programs). you cannot specify this policy for only certain users, but for a non-domain machine, the Admin/non-Admin breakdown may be sufficient.

--

Try googling with words windows xp restriction policies, link:
http://www.google.com/search?hl=fi&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=windows+xp+restriction+policies&spell=1



Original Source: http://www.kellys-korner-xp.com/xp_abc.htm

0
 
LVL 5

Expert Comment

by:thecomputerdocs
ID: 22694784
I like this article.
We've used deepfreeze....works great!
http://www.governmentsecurity.org/archive/t40.html
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22695082
Internet Explorer Enahnced security will prevent Users and amdinistrators from downloading Operating System intrusive files from remote locations.

Here is an example:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23351830.html
0
 

Author Closing Comment

by:gmerino
ID: 31505289
Most likely block users from installing any application is based on policies, what I expected. Thanks for the entire explanation! Now I have all knowledge to start planning a good policy for my needs.

Thanks!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now