Our Windows network has multiple drives that by default have read/write access available to the everyone group and has been that way for years. However, one particular group of staff have been more prone to clicking virus e-mails or links.
What would be the best and ideally efficient way to limit the potential exposure and damage this group could do if a ransomware or other malicious file were to try to run on their PCs?
Changing the drives from everyone read/write would take a long time, but may be the best option? I haven't really used deny group options, so maybe I go that route?
They're local admins on their PCs, so maybe I need to change that as well.