That will not prevent users from installing things like Google Chrome. My users do not have local admin but yet they can install Chrome. That's because Chrome is a per-user install and will put all of it's files in the user's profile.
I would do a quick Google search for application whitelisting to do what you are trying to do. Bit9 sells such a product. On Mon, Apr 5, 2010 at 6:07 AM, Butturini, Russell < [email protected]> wrote: > That's just something that's inherent to Windows. Users who aren't members > of the local administrators group aren't allowed to write to those > directories. > > -----Original Message----- > From: [email protected] [mailto: > [email protected]] On Behalf Of Sherwyn > Sent: Sunday, April 04, 2010 8:19 PM > To: Bugbear; PaulDotCom Security Weekly Mailing List > Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing > > The users are none admin users. The odd thing is if one of those users log > into a Windows 7 box the are blocked from installing application, but are > allowed too on a windows XP machine. > > I can look into using GPO to block windows installer but in terms of > stopping them from writing to key folders are you referring to NTFS > permission or is this done via GPO? > > Thanks. > > > Infolookup > www.infolookup.blogspot.com > www.twitter.com/infolookup > > > -----Original Message----- > From: Bugbear <[email protected]> > Date: Sun, 4 Apr 2010 17:24:36 > To: PaulDotCom Security Weekly Mailing List<[email protected]>; > [email protected]<[email protected]> > Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing > > Agree 100% > > On 4/4/10, Butturini, Russell <[email protected]> wrote: > > In 2003 environments you can set group policy to disable the windows > > installer on workstations. However this won't knock out third party > > installation packagers. The best thing to do is strip local admin rights > > from the users and prevent them from writing files to key directories > > (program files, system32, etc.) > > > > ----- Original Message ----- > > From: Sherwyn <[email protected]> > > To: Butturini, Russell; '[email protected]' > > <[email protected]> > > Sent: Sun Apr 04 12:15:19 2010 > > Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing > > > > The are running 2003. > > > > Thanks. > > Infolookup > > www.infolookup.blogspot.com > > www.twitter.com/infolookup > > > > > > -----Original Message----- > > From: "Butturini, Russell" <[email protected]> > > Date: Sun, 4 Apr 2010 10:57:15 > > To: '[email protected]'<[email protected]>; > > '[email protected]'<[email protected]> > > Subject: Re: [Pauldotcom] Blocking Unwanted programing from installing > > > > What version of SBS are you dealing with? 2003 or 2008? You have some > more > > capabilities in 2008 than 2003 for this sort of thing, > > > > ----- Original Message ----- > > From: [email protected] > > <[email protected]> > > To: PaulDotCom Security Weekly Mailing List < > [email protected]> > > Sent: Sat Apr 03 20:34:27 2010 > > Subject: [Pauldotcom] Blocking Unwanted programing from installing > > > > Hello PDC Guru's, > > > > I am task with locking down a Microsoft SBS environment. The goal is to > > allow all currently installed application to be able to run but stop the > > installation of any new application (limewire, AOL messenger etc). > > > > I am aware that I can use a Run only list or software restriction "path > > rule", but since both of these can be very time consuming if the users > has > > lots of application installed. > > > > Is there anyway to just allow all currently installed aops run access but > > block installation of new apps for a set of users? > > > > Thank you in advance. > > > > Infolookup > > www.infolookup.blogspot.com > > www.twitter.com/infolookup > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > > > > ****************************************************************************** > > This email contains confidential and proprietary information and is not > to > > be used or disclosed to anyone other than the named recipient of this > email, > > and is to be used only for the intended purpose of this communication. > > > ****************************************************************************** > > > > > ****************************************************************************** > > This email contains confidential and proprietary information and is not > to > > be used or disclosed to anyone other than the named recipient of this > email, > > and is to be used only for the intended purpose of this communication. > > > ****************************************************************************** > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > -- > Sent from my mobile device > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > ****************************************************************************** > This email contains confidential and proprietary information and is not to > be used or disclosed to anyone other than the named recipient of this email, > and is to be used only for the intended purpose of this communication. > > ****************************************************************************** > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
