Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

prevent Chrome installing

Posted on 2013-01-21
7
Medium Priority
?
675 Views
Last Modified: 2013-01-22
win2008 r2 domain
win7 clients

my users are local admins but I need to prevent them installing Chrome. they are being prompted by adverts etc to get chrome so I need to stop them installing it. maybe Software Restriction Policies?
0
Comment
Question by:Pete
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38802128
Download files can be restricted when you enable the GPO setting under:

 User Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone > "Allow file download"

You can also restrict using other browsers through AppLocker Policy since you have Win 7 clients.

The best is not to give your users Local Admin privileges.
0
 
LVL 1

Author Comment

by:Pete
ID: 38802813
thanks for the reply, staff need local admin rights so they run our poorly written school management software.

I was hoping for paths and filenames i can restrict to prevent chrome downloading and installing?
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38802908
Well, paths and filenames will not solve your issue if the user is a tech savvy and discovers how to change the execution file name or the default path of installation. Moreover, the more you try to be restrictive the more your users become tech-knowing and the more determined to break the restrictions!

Check this thread for more information and different ideas presented - AppLocker would be very great and efficient; read through to Jason Sandys comment:

http://social.technet.microsoft.com/Forums/en-US/configmgrswdist/thread/36f404ba-95e5-4808-8f17-b6875f76b72a
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 1

Author Comment

by:Pete
ID: 38803082
http://social.technet.microsoft.com/Forums/eu/winserverGP/thread/a7abcfea-8819-4680-9010-d2604a59c9bd

how about this, not too worried about staff renaming installers etc. but not sure of implications of blocking googleupdater.exe
0
 
LVL 23

Expert Comment

by:Ayman Bakr
ID: 38804534
Well, first you need to focus on what stage you want to put the restrictions:
1. At the download level
2. At the installation level
3. Post-Installation level

Once clear about that, then you can use the suggestion that suits your objective. GPO to disallow downloads, or GPO to disallow the installation or GPO to disallow the launch of an application that is already installed (again I would stress here that perhaps the best here is AppLocker Policy).

In the link you mentioned, googleupdate.exe restrictions will affect, not only chrome updates but any google related updates. You might want to stick to chrome_installer.exe; but if google changes the name of the file, the users will be able to download it again.

Frankly speaking, I would prefer the post-installation level restrictions because by this you avoid the hassle of changing file names rendering restrictions on the first two levels useless.
0
 
LVL 1

Author Comment

by:Pete
ID: 38804546
Applocker is not available for Win7 Pro which is what we have.

I would like to prevent both the downloading and the running. so maybe a SRP of *chrome.exe for the running and not sure about the downloading, any ideas what to block?

Thanks
0
 
LVL 23

Accepted Solution

by:
Ayman Bakr earned 2000 total points
ID: 38805783
To prevent from running chrome installation you can create a SRP of chrome.exe and chromesetup.exe with a hash rule (so that even if they change the name of the file or path, they will still not be able to run the installation).

To prevent the download you can set the 'Allow File Download' to disabled in the GPO:
User Configuration > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone

But this will diallow download of all files in that zone.

To prevent select file types or certain file downloads like chromesetup.exe I believe you'll be better equipped to have it set on your firewall appliance (cisco, juniper - whatever is your firewall).
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question