|
What I have noticed, in the couple of test
I have done, is that if the installer is a MSI package, it will immediately be
denied any further access. If it is a *.exe then there may be progress on
the installation and it is up to the *.exe on how to proceed. If a *.exe
is used, the system itself appears never to be modified except within the users
own profile allotted space. I am not sure how to restrict file
extensions on a folder. Do you have more information on this? I know that I can remove execute
permissions but this will take some work to do and resolve my issue. ß I am not
complaining about the work. Just that it will take some time. I guess if there is a way to filter out
certain executables I would want to filter them all out. So I guess
removing execute access will be the best way. But this would also mean I
would have to remove this type of permission to their desktop or My Documents since
they could also install such a program there providing it was under their 10MB
limit. But to go that far would be nasty and I don’t think it would
be recommended. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Wassell The first thing that comes to mind is
disabling Windows Installer for non-managed apps via GPO, considering you are
already doing something similar as you had mentioned that may be the most
viable solution. Otherwise, I'm not sure if its possible or
how difficult it would be to implement but you could restrict the use of
certain file extensions in the user folder tree which would prevent users from
running executables for instance. Just two ideas... I'm sure there will be
more From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edwin Within our domain, roaming profiles are used. The roaming
profiles are limited to 10MB by means of a GPO. The user is also given a
networked drive (K:\) that gives them an additional 40MB which gives them a
grand total of 50MB of usable space when on their workstations. The 50MB
limit is then enforced by Disk Quotas. The roaming profile data and the
networked drive are both on the same machine. The user logging into their workstation is not able to
install applications unless first approved. What I have noticed however
is that users within the domain are still managing to run unauthorized pieces
of software. They are doing this by copying the files K:\ The
application that they want to use is a self executing program that does not need
to write data to the registry or modify the system in any way. In one case, I noticed that a user is using FireFox. I
installed the software with under the same user privileges and was able to do
so but with a warning that the application may not install correctly without
Admin rights. The application did install to the K:\ and worked correctly when
was opened. The good thing about this was that anything that was written
to the registry was access denied. So here is the question. How can I prevent users from installing
these type of applications to the K:\? When they do this, they are using
resources on the remote machine that shouldn’t be. I could care
less that they are using more drive space since it will only affect them and
their ability to write more files to the remote machine or will prevent them
from logging off of their desktop until the space is cleared. I don’t have a problem putting fear into those who are
doing this, but I would rather just cut them off and keep my mouth shut if a
solution is available. Any thoughts? Thanks everyone for your replies, Edwin |
