And now I'm really confused. Why make your users admins and then lock down the ways they can admin the system?
-- Robert Moir Senior IT Systems Engineer Luton Sixth Form College > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: 20 October 2006 01:11 > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > Yes/No - Because we are an academic environment, the best we could do > was to make our users domain account a "user" but give them their own > local admin account. We use restricted groups to enforce. > > Bryan Lucas > Server Administrator > Texas Christian University > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Kevin Brunson > Sent: Thursday, October 19, 2006 4:10 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > Are your users local admins? Only admins can approve IE7 for install. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: Thursday, October 19, 2006 2:49 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > I must be missing something, I read: > > * "The Blocker Toolkit will not prevent users from manually installing > Internet Explorer 7 as a Recommended update from the Windows Update or > Microsoft Update sites, from the Microsoft Download Center, or from > external media. > > So it seems to me a hash rule combined with a filename rule should work > unless they change both on me. > > Bryan Lucas > Server Administrator > Texas Christian University > ________________________________________ > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Laura A. Robinson > Sent: Thursday, October 19, 2006 12:40 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Blocking IE7 > > You might want to re-read the page that you linked to below, since it > answers all of your questions. > > 1. That toolkit is *not* designed to block WSUS deployments. With WSUS, > you would simply not approve the update. > 2. That toolkit *is* designed to block both the executable and > automatic update installations. > > Laura > > ________________________________________ > From: [EMAIL PROTECTED] [mailto:ActiveDir- > [EMAIL PROTECTED] On Behalf Of Lucas, Bryan > Sent: Thursday, October 19, 2006 12:55 PM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Blocking IE7 > I see how to block IE7 from deploying through WSUS, but what I don't > see is a way to block a user from manually installing it. > > (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7- > 5D44-482B-9DBD-869B4A90159C&displaylang=en) > > Our users are 90% XP SP2 and managed through GP. What about building a > restricted software GPO that has a hash of iesetup7.exe (if that even > exists)? > > I want to restrict them from getting it through microsoftupdate.com as > well. > > Bryan Lucas > Server Administrator > Texas Christian University > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
