possible to restrict install of yahoo toolbar?

How can I keep people from installing yahoo toolbar? It appears that local
admin or not, that that darn tool bar keeps winding up on peoples machines.
How is it getting around admin rights?

In news:(E-Mail Removed),
(E-Mail Removed) <(E-Mail Removed)> typed:
> How can I keep people from installing yahoo toolbar? It appears that
> local admin or not, that that darn tool bar keeps winding up on
> peoples machines. How is it getting around admin rights?

A lot of software doesn't require write access to the areas of the registry
& file system that regular user accounts don't have access to.

Are you using AD?

In news:eDfDIY%(E-Mail Removed),
Lanwench [MVP - Exchange]
<(E-Mail Removed) ahoo.com> stated, which I
commented on below:
> A lot of software doesn't require write access to the areas of the
> registry & file system that regular user accounts don't have access
> to.
> Are you using AD?

Such as the way some ActiveX objects install during a drive-by. Antispyware
will help here.

Ace

I'm just taking a shot in the dark,...but what about Software Restriction
Policies in a GPO? Wouldn't most of these types of things execute the
installation from the Temporary Internet Files folder structure? Maybe a
restriction could be made that says nothing is allowed to be executed from
that set of folders. I'm sure there is probably an enviroment variable to
help point to the location in the user's profile path so it will adjust for
different users/profiles. The GPO would use a "Path Rule" based Software
Restriction Policy.

This (if it works) would stop any executable from running from that location
so the user would no longer be able to "open" directly from the file
download prompt, they would have to save to the HD first then run
it,...which really isn't a bad thing to force anyway.

I don't know how ActiveX would play into that, but they can be stopped
independently anyway so it is not a big deal preventing ActiveX from running
via pushing out IE settings with a GPO.

Of course I didn't get much sleep last night so I could be fantisizing. :-)

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

In news:%(E-Mail Removed),
Phillip Windell <@.> stated, which I commented on below:
> I'm just taking a shot in the dark,...but what about Software
> Restriction Policies in a GPO? Wouldn't most of these types of
> things execute the installation from the Temporary Internet Files
> folder structure? Maybe a restriction could be made that says
> nothing is allowed to be executed from that set of folders. I'm sure
> there is probably an enviroment variable to help point to the
> location in the user's profile path so it will adjust for different
> users/profiles. The GPO would use a "Path Rule" based Software
> Restriction Policy.
>
> This (if it works) would stop any executable from running from that
> location so the user would no longer be able to "open" directly from
> the file download prompt, they would have to save to the HD first
> then run it,...which really isn't a bad thing to force anyway.
>
> I don't know how ActiveX would play into that, but they can be stopped
> independently anyway so it is not a big deal preventing ActiveX from
> running via pushing out IE settings with a GPO.
>
> Of course I didn't get much sleep last night so I could be
> fantisizing. :-)

That may be a possibility. As for ActiveX, something else would call it, so
would it really be running in that folder? I'm not sure, just speculating,
and I can probably be totally wrong.

Comments welcomed!

Ace

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote in
message news:%(E-Mail Removed)...
> In news:%(E-Mail Removed),
> That may be a possibility. As for ActiveX, something else would call it,
so
> would it really be running in that folder?

You can kill the ActiveX with a GPO that pushes out the browser's security
settings to the Clients. So it would be separate from the other, but still
done with GPO (preferably a separate distinct GPO).

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

In news:%23ii27%(E-Mail Removed),
Phillip Windell <@.> stated, which I commented on below:
> "Ace Fekay [MVP]"
> <PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote in
> message news:%(E-Mail Removed)...
>> In news:%(E-Mail Removed),
>> That may be a possibility. As for ActiveX, something else would call
>> it, so would it really be running in that folder?
>
> You can kill the ActiveX with a GPO that pushes out the browser's
> security settings to the Clients. So it would be separate from the
> other, but still done with GPO (preferably a separate distinct GPO).

I see. I guess I was going about it the long way!

:-)

No AD, and I would have to do whatever I do to each PC as I am not the
domain admin (they are too busy to deal with this I guess) I have local
admin rights to all machines however.

"Lanwench [MVP - Exchange]"
<(E-Mail Removed) ahoo.com> wrote in message
news:eDfDIY%(E-Mail Removed)...
>
>
> In news:(E-Mail Removed),
> (E-Mail Removed) <(E-Mail Removed)> typed:
>> How can I keep people from installing yahoo toolbar? It appears that
>> local admin or not, that that darn tool bar keeps winding up on
>> peoples machines. How is it getting around admin rights?
>
> A lot of software doesn't require write access to the areas of the
> registry & file system that regular user accounts don't have access to.
>
> Are you using AD?
>
>