Yes/No - Because we are an academic environment, the best we could do was to make our users domain account a "user" but give them their own local admin account. We use restricted groups to enforce.
Bryan Lucas Server Administrator Texas Christian University -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson Sent: Thursday, October 19, 2006 4:10 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 Are your users local admins? Only admins can approve IE7 for install. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 I must be missing something, I read: * "The Blocker Toolkit will not prevent users from manually installing Internet Explorer 7 as a Recommended update from the Windows Update or Microsoft Update sites, from the Microsoft Download Center, or from external media. So it seems to me a hash rule combined with a filename rule should work unless they change both on me. Bryan Lucas Server Administrator Texas Christian University ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Thursday, October 19, 2006 12:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Blocking IE7 You might want to re-read the page that you linked to below, since it answers all of your questions. 1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you would simply not approve the update. 2. That toolkit *is* designed to block both the executable and automatic update installations. Laura ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan Sent: Thursday, October 19, 2006 12:55 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Blocking IE7 I see how to block IE7 from deploying through WSUS, but what I don't see is a way to block a user from manually installing it. (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en) Our users are 90% XP SP2 and managed through GP. What about building a restricted software GPO that has a hash of iesetup7.exe (if that even exists)? I want to restrict them from getting it through microsoftupdate.com as well. Bryan Lucas Server Administrator Texas Christian University List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/