Re: Preventing users installing programms...?
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: Thu, 02 Sep 2004 00:27:19 GMT
It took me a while to get used to XP Pro but it really has some nice advantages.
Anyhow see the link below for the policy I was mentioning. Gpedit.msc will open local
Group Policy. --- Steve
Editing the Local Policy on a Windows 2000-Based Computer
To restrict users from running specific Windows programs on a standalone Windows
1.. Click Start, and then click Run.
2.. In the Open box, type gpedit.msc, and then click OK.
3.. Expand User Configuration, expand Administrative Templates, and then expand
4.. In the right pane, double-click Don't run specified Windows applications.
5.. Click Enabled, and then click Show.
6.. Click Add, and then type the executable file name of the program that you want
to restrict users from running. For example, type iexplore.exe.
7.. Click OK, click OK, and then click OK.
<email@example.com> wrote in message
> Thanks for your really helpfull post steve..but can you
> actually tell me the name of the police you were talking
> about..? As obviously i dont wish to impose unnessesary
> restrictions and im not sure which one to use.
> I had thought about XP pro but to be honest I hate XP and
> its clumsy interface. Id still buy 2000 pro any
> day..perhaps im the only one who feels like this..lol?
> anyway hope you get this post ty for such a quick reply.
> Yours paulk
>>First off if at all possible make sure these users are
> only regular users and not
>>local administrators or else it is usually a lost cause.
>>There is a Group Policy setting under user
>>templates/system where you can populate the disallowed
> Windows application list. Be
>>sure to read it's full explanation and add the
> executeables for those common
>>applications to the list and also add install.exe and
> setup.exe. Since you will be
>>using Local Group Policy the these restrictions will
> apply to ALL users on that
>>computer and will need to be temporarily disabled to
> install legitimate software. If
>>a user is able to rename an executable they will be able
> to bypass that restriction.
>>A more extreme measure that I have tried on myself but is
> not 100 percent tested is
>>to make sure that users can not write to any folder other
> than their profile and then
>>use ntfs special permissions to deny the user execute
> permissions to "files only" for
>>the profile folder. Depending on the user, they may be
> able to figure out that they
>>can change permissions back to allow execute. Otherwise
> consider upgrading to XP Pro
>>where it is easy to lockdown users to authorized
> applications only using Software
>>Restriction Policies, even local administrators.. ---
>>"Paul K" <firstname.lastname@example.org> wrote in
>>> hi all..
>>> Can anyone help me???
>>> Ive a standalone win 2000pro workstation, ive locked it
>>> down tight but i cant find a way to prevent a user
>>> installing "messenger" "AOL chat" and any other programs
>>> she wants to run.
>>> I would love to find a way of preventing my users
>>> installing all, and any programs, on this STAND ALONE
>>> Any help greatly appreciated
>>> Yours PaulK