Chrome's bypassing AD policies and allowing AD users to install...

This is an often misunderstood issue. There is *nothing* in AD or in a default windows setup in general that prevents users from "installing" software. What is prevented, by ACLs, is a user can not make changes to any protected system areas. *MOST* programs like to install registry entries and files in protected areas. (program files directory, HKLM registry hive, etc) and thus the net effect is that users appear to not be able to install software because installation gets blocked from writing files to those locations.

However a program that only writes files to areas the user has access to, for example, putting an executable in their downloads or documents folder, will run just fine. Legitimate software does this. It is how many portableapps work. It is how programs like TeamViewer or GoToAssist can allow someone to offer assistance to non-admin users. And other "bad" programs do this. It is why cryptolocker and its variants have been so successful, even with non-admins opening the Trojan that starts the process. Chrome also happens to fall into that category.

If you *really* want to limit users to only programs you allow, the only good way to do so is applocker (or 3rd party equivalent.)  With the popularity of CryptoLocker, a spotlight has recently come to rest on this essential tool, but it has been around for quite awhile.

This isn't an AD or permissions issue. It is just how the PC architecture evolved. Yay for backwards compatibility.

That sounds great and all where backward compatibility is concerned.   However, Chrome appears to allow some GPOs to be circumvented such as downloading and streaming ultimately negating the purpose of the GPO which is to protect the end-user's node and network from their unintended actions --at least in most cases.
I'm certainly considering an app blocking program but wanted to post here first in the event there have been Windows security improvements within the last year.

McKnife, do you know if a whitelisting GPO can be created at the AD (Win2012R2) level for the computers or does it have to be created within each individual computer?

"Chrome appears to allow some GPOs to be circumvented such as downloading and streaming "  There are no GPOs that inherently block any of that, so there is nothing to circumvent. Network traffic has always been governed by other programs or tools (even Microsoft had TMG/UAG in that space for a time) but has never been a built-in feature of the OS.

If you want to limit downloading and streaming, you need a good edge device/UTM. If you want to limit what programs users run, you need to use something like applocker. That's just the way of it, and no that likely won't change in a year or even a decade. It just isn't the direction Microsoft has signaled that they are going to take windows. If anything, with windows store apps, they are going the other way. They are protecting things at the data level, compartmentalization, and letting users do more "personal" things on their devices, even in a corporate environment. You'll want to plan accordingly.

> who have only User rights within an AD and therefore, do not have rights to install software applications.

This statement is only partially correct: it's correct for so called per-machine installations, but besides them, there are also per-user installations, and regular users are allowed to install them. See this article for further details: https://msdn.microsoft.com/en-us/library/windows/desktop/dd765197(v=vs.85).aspx . The same installation can be installed per-machine and per-user, and in fact Windows is smart enough to decide how to do it, depending on whether the user is elevated or not. The fact that Chrome gets installed per-user means that Chrome developers have absolutely accurately created their installation having correctly used these features.

If you want to prohibit per-user installations, the setting in group policy that you want to use is

Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Installer - Prohibit User Install

It may or may not work, depending on whether Chrome installation is MSI-based. If not, you'll have to use applocker suggested by Cliff, software restriction policies suggested by McKnife, or something similar.

"do you know if a whitelisting GPO can be created at the AD (Win2012R2) level for the computers or does it have to be created within each individual computer?" - of course it can be set using domain GPOs. As long as you know what to whitelist, it can be centralized.

Bottom line is, Chrome opens doors for novice users to do more than just surf and the particular customer I'm researching on behalf for has a limited budget, only 6 computers, and has staff end-users who like to surf the web plenty.
I appreciate the informal edified feedback.  I'll explore GPOs further and the current Eset antivirus software currently installed which supposedly restricts the installation of Chrome as well.

That is not chrome specific. Google the term "portable apps", it's something very common. which only whitelisting can overcome.

Consider to change the point distribution. I only extended what Cliff said before.

>Chrome opens doors for novice users to do more than just surf

I suggest that you actually read my comment, and Microsoft article. That door was open and carefully maintained since when chrome developers probably were still in elementary school.

"Chrome opens doors for novice users to do more than just surf"

Vadim, I get the perspectives presented here but am not looking for perspectives/"portable" apps 101 lessons, respectfully as, I've been well aware of the fact that chrome is a mobile app (and is Not the only mobile app out there) --which once again, appears to create problems at this particular customer's site.  

Here is my original question again:
"Has anyone encountered this same/similar issue with Chrome and if so, what did you do to prevent Chrome from being installed?"

McKnife's response with whitelisting was short and to the point, he followed up by confirming what I had asked and therefore in my opinion (as did several other sites I researched) had the best solution from these responses.  I am looking for a solution as I mentioned above to a unique situation of highly motivated end-users who like to surf on not for profit computer systems.

The answer you accepted addresses the problem of running portable applications, but it's not what you asked. You asked "how to prevent Chrome from being installed"; while the whole idea of portable app is that it is not installed at all, so the answer is not how to prevent application X from being installed, but how to prevent an application from being run, whether it's installed or not.  That's one issue, and another is that installed Chrome is not a portable app exactly because it's installed. Your original question was: "However, Chrome seems to circumvent AD's User right policies and allows itself to be installed" - which is plain wrong. The way Chrome is installed neither circumvents anything, nor does it run as a portable app. What it does is it gets installed per- user, and the most compact way to prevent that is by group policy setting I mentioned. Both method and cure known since w2k.

It is understood that whitelisting applications addresses a much larger problem of not running Chrome (or anything else) whether it's installed or not, and it may be  indeed the best course with your motivated users, who indeed might then run it as portable; but generally speaking, regarding the original question, the answer "lock all apps except the approved" to the question "how to prevent per-user install" (which it in fact was) is an overkill.

All this is not meant to argue or question your choice, but to inform someone who will find this Q a year later, that in order to block per-user install, there's a way that does exactly that, rather than blocking running all apps.