[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Prevent Remote Desktop Clients from running Internet Explorer

Posted on 2009-05-12
9
Medium Priority
?
394 Views
Last Modified: 2012-05-06
This is a stand alone 2003 Terminal Server. There are no local clients. I want to use Group Policy to prevent Remote Clients from running Internet Explorer. As far as I can tell, the setting I need is in : User Configuration -> Admin Templates -> System -> Dont run specified apps.

My problem is that I cannot find this policy in Default Domain Controller Settings, or in Default Domain Security Settings. Logged in as Administrator, I ran GPEDIT.MSC and set it there, but this only applied to the Adminstrator Account.

How can I set this policy to apply to other users?

Thanks,

Ian
0
Comment
Question by:ipendlebury
  • 5
  • 4
9 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 24363308
As you can see --> Admin Template -->, the policy is within a template (ADM) file. You should have this on your computer, usually localted a C:\windows\inf.

Right click on administrative templates and have a look there, which templates are loaded or not. There you can add additional templates.
0
 

Author Comment

by:ipendlebury
ID: 24363640
Thanks for the reply. I need you to be a bit more explanatory please....

>> Right click on administrative templates and have a look there,
>> which templates are loaded or not.

Where should I be doing this? The only place I can find something that says "Administrative Templates" is in GPEDIT.MSC which only applies to the current user.

Ian
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24364398
OK I see...

Have a look here:
Open local security setting
Goto Policies for Software restrictions
--> Additional rules
There you can set file based rules to block applications.

(My system is non english, maybe the pathes differ from my description).

Classic group policies can only applied, it the TS is part of a domain as the logon of users is handled by the domain. If you have only local accounts, you cant assign policies to these local accounts.  

Not the restriction above is machine based...
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:ipendlebury
ID: 24364444
Sorry, i'm still struggling to understand you.....
Where is this 'Local Security Setting'?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24364510
Start - settings  - system setting, there you can find the local security policy...

Or run
%SystemRoot%\system32\secpol.msc
0
 

Author Comment

by:ipendlebury
ID: 24364696
OK I got a bit further now... But I think your system is totally different from the systems I administer. I never saw a system with 'Settings' in the Start Menu. I couldn't find Local Security Policy anywhere either. But I ran Secol.msc and got myself in there.

OK I added a new software restriction policy. But this prevents even myself from running Internet Explorer. I need to be able to run this occasionally. I was l looking and wondering if I could create a new security level in the next menu, and have that security level applying to all members of the Users Group.

Can I ask also why you got me to look in the Local Security Policy. The same feature is available in the Default Demain Policy which is readily available to me. Would it not be better to use this?

Ian
0
 
LVL 35

Accepted Solution

by:
Bembi earned 2000 total points
ID: 24365241
I use the old menu structure, this is different, yes :-))

> But this prevents even myself...
Yes, as machine based

The same feature is within the group policies, but as policies are stored in the startup folder, they are only used and available if you logon as member of a domain and the TS is a member server of a domain. Otherwise the startup folder is not touched. You said this is a stand alone server.

You may have the Domain GPO admin tools on your machine, but they can only show, what they can find on the machine --> the local policies. Domain policies are only shown if you are part of a domain. Therfore I assume, that changing the settings within GPO console are excacly the same that within the security console. Means if you change the settings with the GPO console, they will also be show by the security console.  

Case is different, if your TS server is part of a domain.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24365264
Oh, the local policies are store under
C:\WINDOWS\system32\GroupPolicy
There are also the local INF files.
0
 

Author Comment

by:ipendlebury
ID: 24365349
Ok thank you for all that

Ian
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
The video provides a quick and easy steps to migrate MBOX file to well known Outlook PST and Office 365. Besides this, it also supports and migrates more than 20 email clients of MBOX which include AppleMail, Opera, Thunderbird and SeaMonkey effortl…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question