Making sure that they are no more than regular users is a start, however
that will not stop all software installations. There is a setting in user
configuration/administrative templates/system for don't run specified
Windows applications where you could enter setup.exe, install.exe, etc.
However that will not prevent a user from renaming setup.exe to work around
it. A much better way for Windows XP Pro is to use the Software Restriction
Policies that are very powerful and can restrict software based on path,
certificate, or hash rules. You may be able to manage thay via Group Policy
in W2K as explained in KB link below on updating W2K for XP policies. In
addition review ntfs permissions on your computers, particularly at the
root/drive folder [check advanced permissions also] where a regular user may
have ability to write files and folders in which case you may want to reduce
that to read/list/execute which basically would allow them to write only to
their profile folders. --- Steve
http://support.microsoft.com/default...b;en-us;307900
http://support.microsoft.com/default...b;en-us;323525
http://www.microsoft.com/technet/tre...n/rstrplcy.asp
http://tinyurl.com/rweh --- same link as above shorter
"Joe Hardin" <(E-Mail Removed)> wrote in message
news:#(E-Mail Removed)...
> I have a stable Win2K server network.
>
> We are now attaching new WinXP machines to the network. I have
successfully
> used GPO's to remove access to the Control Panel and to limit changes to
the
> desktop, but I need to stop a user from installing software from a CD or
> Floppy. I understand that you can stop the autorun feature and you can
stop
> the use of Windows Installer MSI files, but that doesn't stop a user from
> executing a Setup.exe file on the removable media and installing a
program.
>
> How in a server based GPO do I prevent a user from manually installing
> software?
>
>
> Thanks for all of your help,
>
> Joe Hardin
> (E-Mail Removed)
>
>
Similar Threads
Linear Mode
