Solved

Prevent Remote Desktop Clients from running Internet Explorer

Posted on 2009-05-12
9
331 Views
Last Modified: 2012-05-06
This is a stand alone 2003 Terminal Server. There are no local clients. I want to use Group Policy to prevent Remote Clients from running Internet Explorer. As far as I can tell, the setting I need is in : User Configuration -> Admin Templates -> System -> Dont run specified apps.

My problem is that I cannot find this policy in Default Domain Controller Settings, or in Default Domain Security Settings. Logged in as Administrator, I ran GPEDIT.MSC and set it there, but this only applied to the Adminstrator Account.

How can I set this policy to apply to other users?

Thanks,

Ian
0
Comment
Question by:ipendlebury
  • 5
  • 4
9 Comments
 
LVL 35

Expert Comment

by:Bembi
ID: 24363308
As you can see --> Admin Template -->, the policy is within a template (ADM) file. You should have this on your computer, usually localted a C:\windows\inf.

Right click on administrative templates and have a look there, which templates are loaded or not. There you can add additional templates.
0
 

Author Comment

by:ipendlebury
ID: 24363640
Thanks for the reply. I need you to be a bit more explanatory please....

>> Right click on administrative templates and have a look there,
>> which templates are loaded or not.

Where should I be doing this? The only place I can find something that says "Administrative Templates" is in GPEDIT.MSC which only applies to the current user.

Ian
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24364398
OK I see...

Have a look here:
Open local security setting
Goto Policies for Software restrictions
--> Additional rules
There you can set file based rules to block applications.

(My system is non english, maybe the pathes differ from my description).

Classic group policies can only applied, it the TS is part of a domain as the logon of users is handled by the domain. If you have only local accounts, you cant assign policies to these local accounts.  

Not the restriction above is machine based...
0
 

Author Comment

by:ipendlebury
ID: 24364444
Sorry, i'm still struggling to understand you.....
Where is this 'Local Security Setting'?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 35

Expert Comment

by:Bembi
ID: 24364510
Start - settings  - system setting, there you can find the local security policy...

Or run
%SystemRoot%\system32\secpol.msc
0
 

Author Comment

by:ipendlebury
ID: 24364696
OK I got a bit further now... But I think your system is totally different from the systems I administer. I never saw a system with 'Settings' in the Start Menu. I couldn't find Local Security Policy anywhere either. But I ran Secol.msc and got myself in there.

OK I added a new software restriction policy. But this prevents even myself from running Internet Explorer. I need to be able to run this occasionally. I was l looking and wondering if I could create a new security level in the next menu, and have that security level applying to all members of the Users Group.

Can I ask also why you got me to look in the Local Security Policy. The same feature is available in the Default Demain Policy which is readily available to me. Would it not be better to use this?

Ian
0
 
LVL 35

Accepted Solution

by:
Bembi earned 500 total points
ID: 24365241
I use the old menu structure, this is different, yes :-))

> But this prevents even myself...
Yes, as machine based

The same feature is within the group policies, but as policies are stored in the startup folder, they are only used and available if you logon as member of a domain and the TS is a member server of a domain. Otherwise the startup folder is not touched. You said this is a stand alone server.

You may have the Domain GPO admin tools on your machine, but they can only show, what they can find on the machine --> the local policies. Domain policies are only shown if you are part of a domain. Therfore I assume, that changing the settings within GPO console are excacly the same that within the security console. Means if you change the settings with the GPO console, they will also be show by the security console.  

Case is different, if your TS server is part of a domain.
0
 
LVL 35

Expert Comment

by:Bembi
ID: 24365264
Oh, the local policies are store under
C:\WINDOWS\system32\GroupPolicy
There are also the local INF files.
0
 

Author Comment

by:ipendlebury
ID: 24365349
Ok thank you for all that

Ian
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I have never ceased to be amazed how many problems you can encounter on a fresh install of a Windows operating system.  This is certainly case in point& Unable to complete ANY MSI installation.  This means Windows Updates are failing and I can't …
Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now