Yes but my point was that the moment you decide "We're gonna give {someone}
admin rights" you've totally conceeded control of the machine and you're
reliant on their co-operation. If someone wants IE7 on their machine in your
environment, they *will* have it.
As you can see from the sig in my last message, I'm quite familiar with
academic environments.
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Lucas, Bryan
Sent: Fri 20/10/2006 15:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
Being an academic environment, taking administrative rights away from users is
not an easy thing to accomplish. The compromise was to have their domain
account (which they are logged in as 99% of the time) a non-admin, but then
give them the admin rights in the form of a separate local account unique to
their workstation.
This makes them safer while browsing and requires them to go through a very
conscious extra set of steps to install new hw/sw.
It has worked very well, cut down on spyware/junkware as well as served as a
training ground both for us and the users for the upcoming Vista model.
Bryan Lucas
Server Administrator
Texas Christian University
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Friday, October 20, 2006 6:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
And now I'm really confused. Why make your users admins and then lock down the
ways they can admin the system?
--
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
>
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account. We use restricted groups to enforce.
>
> Bryan Lucas
> Server Administrator
> Texas Christian University
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, October 19, 2006 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
>
> Are your users local admins? Only admins can approve IE7 for install.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 2:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
>
> I must be missing something, I read:
>
> * "The Blocker Toolkit will not prevent users from manually installing
> Internet Explorer 7 as a Recommended update from the Windows Update or
> Microsoft Update sites, from the Microsoft Download Center, or from
> external media.
>
> So it seems to me a hash rule combined with a filename rule should work
> unless they change both on me.
>
> Bryan Lucas
> Server Administrator
> Texas Christian University
> ________________________________________
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
> Sent: Thursday, October 19, 2006 12:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
>
> You might want to re-read the page that you linked to below, since it
> answers all of your questions.
>
> 1. That toolkit is *not* designed to block WSUS deployments. With WSUS,
> you would simply not approve the update.
> 2. That toolkit *is* designed to block both the executable and
> automatic update installations.
>
> Laura
>
> ________________________________________
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 12:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Blocking IE7
> I see how to block IE7 from deploying through WSUS, but what I don't
> see is a way to block a user from manually installing it.
>
> (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-
> 5D44-482B-9DBD-869B4A90159C&displaylang=en)
>
> Our users are 90% XP SP2 and managed through GP. What about building a
> restricted software GPO that has a hash of iesetup7.exe (if that even
> exists)?
>
> I want to restrict them from getting it through microsoftupdate.com as
> well.
>
> Bryan Lucas
> Server Administrator
> Texas Christian University
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
