Windows fileserver (FSRM) file screening and offline files

We have a fileserver where everybody's My Documents, Downloads, Desktop etc. folders are redirected. The fileserver is running Windows Server 2012 R2, and is running the File Server Resource Manager role.

I've set up file screens that prevent the users from saving executable files into their user profiles. This is to help dissuade users from accidentally downloading malware / spyware / junk from the Internet. I also block them from saving documents to their desktop (only shortcuts / links can go on the desktop).

And for the most part, it works. If I attempt to use any Microsoft product to save any disallowed files (e.g. File Explorer, Internet Explorer, Word etc.), I get an appropriate error box saying access is denied and it blocks it.

But under certain circumstances (e.g. downloading EXE files in Google Chrome), the EXE is still downloaded and they appear to be saved into the folder.

I've discovered that what is going on is that the folders have offline file caching turned on, and because of this the file gets cached in the offline mode on the one computer. The bad files never arrive on the server, but their computer caches it forever, and Windows periodically tries to sync it up to the server (and fails).  The user doesn't realize that the file is in this "transient" state, and they think they've successfully saved a file when really they haven't, but regardless they can ACCESS the file as if it was saved directly into that folder, which defeats the purpose of the file screens.

I have email notifications configured on the Fileserver to tell me when violations to the file screening rules occur, and I am getting INUNDATED with hundreds of notifications every day for the same couple files on a couple user's machines every time the Windows Sync center fails to sync the offline file over and over again.

I'm not sure what to do about this...

For the users who already have offline cached files that are stuck on their system, is there a way to purge the cache so those files go away?

And is there a way to configure the workstations to be more strict about not allowing EXE files to be saved to their redirected user profiles?
LVL 31
Frosty555Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
other than turning off offline files I can't think of a solution.
0
cantorisCommented:
Here's how to purge the cache:

1. Ensure any changes have already been synced (or else they will be lost)
2. Add a registry value:
REG ADD "HKLM\System\CurrentControlSet\Services\CSC\Parameters" /v FormatDatabase /t REG_DWORD /d 1 /f
3. Reboot

You can read more here:
http://support.microsoft.com/kb/942974
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Frosty555Author Commented:
Partial solution. Thanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.