Solved

Prevent Remote Desktop Clients from running Internet Explorer

Posted on 2009-05-12
9
372 Views
Last Modified: 2012-05-06
This is a stand alone 2003 Terminal Server. There are no local clients. I want to use Group Policy to prevent Remote Clients from running Internet Explorer. As far as I can tell, the setting I need is in : User Configuration -> Admin Templates -> System -> Dont run specified apps.

My problem is that I cannot find this policy in Default Domain Controller Settings, or in Default Domain Security Settings. Logged in as Administrator, I ran GPEDIT.MSC and set it there, but this only applied to the Adminstrator Account.

How can I set this policy to apply to other users?

Thanks,

Ian
0
Comment
Question by:ipendlebury
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 24363308
As you can see --> Admin Template -->, the policy is within a template (ADM) file. You should have this on your computer, usually localted a C:\windows\inf.

Right click on administrative templates and have a look there, which templates are loaded or not. There you can add additional templates.
0
 

Author Comment

by:ipendlebury
ID: 24363640
Thanks for the reply. I need you to be a bit more explanatory please....

>> Right click on administrative templates and have a look there,
>> which templates are loaded or not.

Where should I be doing this? The only place I can find something that says "Administrative Templates" is in GPEDIT.MSC which only applies to the current user.

Ian
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24364398
OK I see...

Have a look here:
Open local security setting
Goto Policies for Software restrictions
--> Additional rules
There you can set file based rules to block applications.

(My system is non english, maybe the pathes differ from my description).

Classic group policies can only applied, it the TS is part of a domain as the logon of users is handled by the domain. If you have only local accounts, you cant assign policies to these local accounts.  

Not the restriction above is machine based...
0
Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

 

Author Comment

by:ipendlebury
ID: 24364444
Sorry, i'm still struggling to understand you.....
Where is this 'Local Security Setting'?
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24364510
Start - settings  - system setting, there you can find the local security policy...

Or run
%SystemRoot%\system32\secpol.msc
0
 

Author Comment

by:ipendlebury
ID: 24364696
OK I got a bit further now... But I think your system is totally different from the systems I administer. I never saw a system with 'Settings' in the Start Menu. I couldn't find Local Security Policy anywhere either. But I ran Secol.msc and got myself in there.

OK I added a new software restriction policy. But this prevents even myself from running Internet Explorer. I need to be able to run this occasionally. I was l looking and wondering if I could create a new security level in the next menu, and have that security level applying to all members of the Users Group.

Can I ask also why you got me to look in the Local Security Policy. The same feature is available in the Default Demain Policy which is readily available to me. Would it not be better to use this?

Ian
0
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 24365241
I use the old menu structure, this is different, yes :-))

> But this prevents even myself...
Yes, as machine based

The same feature is within the group policies, but as policies are stored in the startup folder, they are only used and available if you logon as member of a domain and the TS is a member server of a domain. Otherwise the startup folder is not touched. You said this is a stand alone server.

You may have the Domain GPO admin tools on your machine, but they can only show, what they can find on the machine --> the local policies. Domain policies are only shown if you are part of a domain. Therfore I assume, that changing the settings within GPO console are excacly the same that within the security console. Means if you change the settings with the GPO console, they will also be show by the security console.  

Case is different, if your TS server is part of a domain.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24365264
Oh, the local policies are store under
C:\WINDOWS\system32\GroupPolicy
There are also the local INF files.
0
 

Author Comment

by:ipendlebury
ID: 24365349
Ok thank you for all that

Ian
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Copy an entire Active Directory Domain to a dev environment 4 237
shadow copies 7 95
Questions about DHCP migration 5 118
Enterprise Mode 4 71
The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thi…
Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question