RE: [ActiveDir] Blocking IE7

2006-10-23 Thread Lucas, Bryan 
1) We do use restricted groups and we do it with local accounts.  The
UID is the same "local_admin" but the password is unique for each
machine.  Yes, I realize they can add themselves, but as I said not
having it by default is a huge advantage.

2) I agree with your assessment of need.  It is a political issue, not a
function of special software/hardware needs in an academic environment.
It might make more sense if I used the phrase academic freedom.  It just
simply isn't the same as a corporate environment where policy can be
mandated more easily.

3) We have a number of enterprise products that have not certified IE7
yet.  If we roll it out, we move into "unsupported" territory.  
3a) We also need to complete our compatibility and deployment testing.
 
Bryan Lucas
Server Administrator
Texas Christian University

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rich Milburn
Sent: Monday, October 23, 2006 7:49 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

If they have local admin rights, it's a trivial task to add their
non-admin (are you referring to non-domain-admin?) domain account to the
local administrator's group and be done with silly restrictions.  Unless
you're controlling local admin group membership via GPO - but since
you're using unique local administrative accounts I'm thinking you're
not controlling membership via GPO.

You stated that they have local admin rights because taking them away is
not an easy thing to do - since you are an academic environment.  Well,
I think that's a political thing, not something related to the
environment you're in.  Everyone "needs" admin access, just ask them.
It's not just an academic thing.  Of course, you didn't ask us (or me)
an opinion on admin rights.  I just wanted to point out that if you have
problems related to that, you might want to revisit the issue and know
that [IMHO] the "need" for admin rights is not a special academic
environment need.

Anyway I probably missed a post somewhere, but why the Herculean efforts
to block IE7?  I'm just curious.  

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
"I love the smell of red herrings in the morning" - anonymous
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Sunday, October 22, 2006 1:32 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7


Yes but my point was that the moment you decide "We're gonna give
{someone} admin rights" you've totally conceeded control of the machine
and you're reliant on their co-operation. If someone wants IE7 on their
machine in your environment, they *will* have it.

As you can see from the sig in my last message, I'm quite familiar with
academic environments.

-----Original Message-
From: [EMAIL PROTECTED] on behalf of Lucas, Bryan
Sent: Fri 20/10/2006 15:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
 
Being an academic environment, taking administrative rights away from
users is not an easy thing to accomplish.  The compromise was to have
their domain account (which they are logged in as 99% of the time) a
non-admin, but then give them the admin rights in the form of a separate
local account unique to their workstation.

This makes them safer while browsing and requires them to go through a
very conscious extra set of steps to install new hw/sw.

It has worked very well, cut down on spyware/junkware as well as served
as a training ground both for us and the users for the upcoming Vista
model.

Bryan Lucas
Server Administrator
Texas Christian University

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Friday, October 20, 2006 6:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

And now I'm really confused. Why make your users admins and then lock
down the ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account.  We use restricted groups to enforce.
> 
> Bryan Lucas
> Server A

RE: [ActiveDir] Blocking IE7

2006-10-23 Thread Rich Milburn 
If they have local admin rights, it's a trivial task to add their
non-admin (are you referring to non-domain-admin?) domain account to the
local administrator's group and be done with silly restrictions.  Unless
you're controlling local admin group membership via GPO - but since
you're using unique local administrative accounts I'm thinking you're
not controlling membership via GPO.

You stated that they have local admin rights because taking them away is
not an easy thing to do - since you are an academic environment.  Well,
I think that's a political thing, not something related to the
environment you're in.  Everyone "needs" admin access, just ask them.
It's not just an academic thing.  Of course, you didn't ask us (or me)
an opinion on admin rights.  I just wanted to point out that if you have
problems related to that, you might want to revisit the issue and know
that [IMHO] the "need" for admin rights is not a special academic
environment need.

Anyway I probably missed a post somewhere, but why the Herculean efforts
to block IE7?  I'm just curious.  

---
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Overland Park, KS 66207
913-967-2819
--
"I love the smell of red herrings in the morning" - anonymous
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Sunday, October 22, 2006 1:32 PM
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7


Yes but my point was that the moment you decide "We're gonna give
{someone} admin rights" you've totally conceeded control of the machine
and you're reliant on their co-operation. If someone wants IE7 on their
machine in your environment, they *will* have it.

As you can see from the sig in my last message, I'm quite familiar with
academic environments.

-Original Message-
From: [EMAIL PROTECTED] on behalf of Lucas, Bryan
Sent: Fri 20/10/2006 15:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
 
Being an academic environment, taking administrative rights away from
users is not an easy thing to accomplish.  The compromise was to have
their domain account (which they are logged in as 99% of the time) a
non-admin, but then give them the admin rights in the form of a separate
local account unique to their workstation.

This makes them safer while browsing and requires them to go through a
very conscious extra set of steps to install new hw/sw.

It has worked very well, cut down on spyware/junkware as well as served
as a training ground both for us and the users for the upcoming Vista
model.

Bryan Lucas
Server Administrator
Texas Christian University

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Friday, October 20, 2006 6:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

And now I'm really confused. Why make your users admins and then lock
down the ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account.  We use restricted groups to enforce.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, October 19, 2006 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Are your users local admins?  Only admins can approve IE7 for install.
> 
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 2:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> I must be missing something, I read:
> 
> * "The Blocker Toolkit will not prevent users from manually installing
> Internet Explorer 7 as a Recommended update from the Windows Update or
> Microsoft Update sites, from the Microsoft Download Center, or from
> external media.
> 
> So it seems to me a hash rule combined with a filename rule should
work
> unless they change both o

RE: [ActiveDir] Blocking IE7

2006-10-22 Thread Rob MOIR 

Yes but my point was that the moment you decide "We're gonna give {someone} 
admin rights" you've totally conceeded control of the machine and you're 
reliant on their co-operation. If someone wants IE7 on their machine in your 
environment, they *will* have it.

As you can see from the sig in my last message, I'm quite familiar with 
academic environments.

-Original Message-
From: [EMAIL PROTECTED] on behalf of Lucas, Bryan
Sent: Fri 20/10/2006 15:51
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7
 
Being an academic environment, taking administrative rights away from users is 
not an easy thing to accomplish.  The compromise was to have their domain 
account (which they are logged in as 99% of the time) a non-admin, but then 
give them the admin rights in the form of a separate local account unique to 
their workstation.

This makes them safer while browsing and requires them to go through a very 
conscious extra set of steps to install new hw/sw.

It has worked very well, cut down on spyware/junkware as well as served as a 
training ground both for us and the users for the upcoming Vista model.

Bryan Lucas
Server Administrator
Texas Christian University

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Friday, October 20, 2006 6:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

And now I'm really confused. Why make your users admins and then lock down the 
ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account.  We use restricted groups to enforce.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, October 19, 2006 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Are your users local admins?  Only admins can approve IE7 for install.
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 2:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> I must be missing something, I read:
> 
> * "The Blocker Toolkit will not prevent users from manually installing
> Internet Explorer 7 as a Recommended update from the Windows Update or
> Microsoft Update sites, from the Microsoft Download Center, or from
> external media.
> 
> So it seems to me a hash rule combined with a filename rule should work
> unless they change both on me.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
> Sent: Thursday, October 19, 2006 12:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> You might want to re-read the page that you linked to below, since it
> answers all of your questions.
> 
> 1. That toolkit is *not* designed to block WSUS deployments. With WSUS,
> you would simply not approve the update.
> 2. That toolkit *is* designed to block both the executable and
> automatic update installations.
> 
> Laura
> 
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 12:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Blocking IE7
> I see how to block IE7 from deploying through WSUS, but what I don't
> see is a way to block a user from manually installing it.
> 
> (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-
> 5D44-482B-9DBD-869B4A90159C&displaylang=en)
> 
> Our users are 90% XP SP2 and managed through GP.  What about building a
> restricted software GPO that has a hash of iesetup7.exe (if that even
> exists)?
> 
> I want to restrict them from getting it through microsoftupdate.com as
> well.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.o

Re: [ActiveDir] Blocking IE7

2006-10-20 Thread Matt Hargraves 
You could be correct, it's been about 7 or 8 years since I worked with government institutions.  I know that for K12 they were able to filter, but he's at a university and I didn't notice until later that it's (probably) a private institution that probably doesn't get money from the federal government.  I know that when I worked for a library though, they were not able to filter at all (I asked what software they used and they said that they couldn't filter because they received government funds).. I assume that it's the same at a university, where everyone is expected to be an adult.  Again though, he appears to be at a private institution, where those rules wouldn't apply.
On 10/19/06, Brian Desmond <[EMAIL PROTECTED]> wrote:













You might want to check on that again. To even qualify for erate
funds as a K12 you need to be doing web content filtering. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 







From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Thursday, October 19, 2006 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Blocking IE7





 

I believe that disabling the
Automatic Updates service via GPO will block them from installing it, not 100%
sure though.

Since you're in an educational environment, things can be a little dicey
there.  You can't restrict the internet (government funds thing) and I
don't know offhand whether the IE7 installs through Windows Update are running
as Local System or as the user that is logged in.  If it's running as the
user account, you can simply deny them the right to install software, but if
it's running as the local System, things are a little more ugly. 





On 10/19/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote:





I see how to
block IE7 from deploying through WSUS, but what I don't see is a way to block a
user from manually installing it.

 

(

http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

 

Our users
are 90% XP SP2 and managed through GP.  What about building a restricted
software GPO that has a hash of iesetup7.exe (if that even exists)?

 

I want to
restrict them from getting it through microsoftupdate.com as well.

 

Bryan Lucas

Server
Administrator

Texas
Christian University 

 







 

RE: [ActiveDir] Blocking IE7

2006-10-20 Thread Lucas, Bryan 
Being an academic environment, taking administrative rights away from users is 
not an easy thing to accomplish.  The compromise was to have their domain 
account (which they are logged in as 99% of the time) a non-admin, but then 
give them the admin rights in the form of a separate local account unique to 
their workstation.

This makes them safer while browsing and requires them to go through a very 
conscious extra set of steps to install new hw/sw.

It has worked very well, cut down on spyware/junkware as well as served as a 
training ground both for us and the users for the upcoming Vista model.

Bryan Lucas
Server Administrator
Texas Christian University

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR
Sent: Friday, October 20, 2006 6:58 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

And now I'm really confused. Why make your users admins and then lock down the 
ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account.  We use restricted groups to enforce.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, October 19, 2006 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Are your users local admins?  Only admins can approve IE7 for install.
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 2:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> I must be missing something, I read:
> 
> * "The Blocker Toolkit will not prevent users from manually installing
> Internet Explorer 7 as a Recommended update from the Windows Update or
> Microsoft Update sites, from the Microsoft Download Center, or from
> external media.
> 
> So it seems to me a hash rule combined with a filename rule should work
> unless they change both on me.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
> Sent: Thursday, October 19, 2006 12:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> You might want to re-read the page that you linked to below, since it
> answers all of your questions.
> 
> 1. That toolkit is *not* designed to block WSUS deployments. With WSUS,
> you would simply not approve the update.
> 2. That toolkit *is* designed to block both the executable and
> automatic update installations.
> 
> Laura
> 
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 12:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Blocking IE7
> I see how to block IE7 from deploying through WSUS, but what I don't
> see is a way to block a user from manually installing it.
> 
> (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-
> 5D44-482B-9DBD-869B4A90159C&displaylang=en)
> 
> Our users are 90% XP SP2 and managed through GP.  What about building a
> restricted software GPO that has a hash of iesetup7.exe (if that even
> exists)?
> 
> I want to restrict them from getting it through microsoftupdate.com as
> well.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Blocking IE7

2006-10-20 Thread Rob MOIR 
And now I'm really confused. Why make your users admins and then lock down the 
ways they can admin the system?

-- 
Robert Moir
Senior IT Systems Engineer
Luton Sixth Form College


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: 20 October 2006 01:11
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Yes/No - Because we are an academic environment, the best we could do
> was to make our users domain account a "user" but give them their own
> local admin account.  We use restricted groups to enforce.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Kevin Brunson
> Sent: Thursday, October 19, 2006 4:10 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> Are your users local admins?  Only admins can approve IE7 for install.
> 
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 2:49 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> I must be missing something, I read:
> 
> * "The Blocker Toolkit will not prevent users from manually installing
> Internet Explorer 7 as a Recommended update from the Windows Update or
> Microsoft Update sites, from the Microsoft Download Center, or from
> external media.
> 
> So it seems to me a hash rule combined with a filename rule should work
> unless they change both on me.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Laura A. Robinson
> Sent: Thursday, October 19, 2006 12:40 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Blocking IE7
> 
> You might want to re-read the page that you linked to below, since it
> answers all of your questions.
> 
> 1. That toolkit is *not* designed to block WSUS deployments. With WSUS,
> you would simply not approve the update.
> 2. That toolkit *is* designed to block both the executable and
> automatic update installations.
> 
> Laura
> 
> 
> From: [EMAIL PROTECTED] [mailto:ActiveDir-
> [EMAIL PROTECTED] On Behalf Of Lucas, Bryan
> Sent: Thursday, October 19, 2006 12:55 PM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Blocking IE7
> I see how to block IE7 from deploying through WSUS, but what I don't
> see is a way to block a user from manually installing it.
> 
> (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-
> 5D44-482B-9DBD-869B4A90159C&displaylang=en)
> 
> Our users are 90% XP SP2 and managed through GP.  What about building a
> restricted software GPO that has a hash of iesetup7.exe (if that even
> exists)?
> 
> I want to restrict them from getting it through microsoftupdate.com as
> well.
> 
> Bryan Lucas
> Server Administrator
> Texas Christian University
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
> List info   : http://www.activedir.org/List.aspx
> List FAQ: http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Lucas, Bryan 
Yes/No - Because we are an academic environment, the best we could do was to 
make our users domain account a "user" but give them their own local admin 
account.  We use restricted groups to enforce.

Bryan Lucas
Server Administrator
Texas Christian University
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Brunson
Sent: Thursday, October 19, 2006 4:10 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

Are your users local admins?  Only admins can approve IE7 for install.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

I must be missing something, I read:

* "The Blocker Toolkit will not prevent users from manually installing Internet 
Explorer 7 as a Recommended update from the Windows Update or Microsoft Update 
sites, from the Microsoft Download Center, or from external media. 

So it seems to me a hash rule combined with a filename rule should work unless 
they change both on me.

Bryan Lucas
Server Administrator
Texas Christian University

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, October 19, 2006 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

You might want to re-read the page that you linked to below, since it answers 
all of your questions.
 
1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you 
would simply not approve the update.
2. That toolkit *is* designed to block both the executable and automatic update 
installations.
 
Laura


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Blocking IE7
I see how to block IE7 from deploying through WSUS, but what I don't see is a 
way to block a user from manually installing it.

(http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

Our users are 90% XP SP2 and managed through GP.  What about building a 
restricted software GPO that has a hash of iesetup7.exe (if that even exists)?

I want to restrict them from getting it through microsoftupdate.com as well.

Bryan Lucas
Server Administrator
Texas Christian University

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir@mail.activedir.org/

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Kevin Brunson 
Are your users local admins?  Only admins can approve IE7 for install.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

I must be missing something, I read:

* "The Blocker Toolkit will not prevent users from manually installing Internet 
Explorer 7 as a Recommended update from the Windows Update or Microsoft Update 
sites, from the Microsoft Download Center, or from external media. 

So it seems to me a hash rule combined with a filename rule should work unless 
they change both on me.

Bryan Lucas
Server Administrator
Texas Christian University

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, October 19, 2006 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

You might want to re-read the page that you linked to below, since it answers 
all of your questions.
 
1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you 
would simply not approve the update.
2. That toolkit *is* designed to block both the executable and automatic update 
installations.
 
Laura


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Blocking IE7
I see how to block IE7 from deploying through WSUS, but what I don't see is a 
way to block a user from manually installing it.

(http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

Our users are 90% XP SP2 and managed through GP.  What about building a 
restricted software GPO that has a hash of iesetup7.exe (if that even exists)?

I want to restrict them from getting it through microsoftupdate.com as well.

Bryan Lucas
Server Administrator
Texas Christian University

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Brian Desmond 








You might want to check on that again. To even qualify for erate
funds as a K12 you need to be doing web content filtering. 

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Thursday, October 19, 2006 1:49 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Blocking IE7





 

I believe that disabling the
Automatic Updates service via GPO will block them from installing it, not 100%
sure though.

Since you're in an educational environment, things can be a little dicey
there.  You can't restrict the internet (government funds thing) and I
don't know offhand whether the IE7 installs through Windows Update are running
as Local System or as the user that is logged in.  If it's running as the
user account, you can simply deny them the right to install software, but if
it's running as the local System, things are a little more ugly. 





On 10/19/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote:





I see how to
block IE7 from deploying through WSUS, but what I don't see is a way to block a
user from manually installing it.

 

(
http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

 

Our users
are 90% XP SP2 and managed through GP.  What about building a restricted
software GPO that has a hash of iesetup7.exe (if that even exists)?

 

I want to
restrict them from getting it through microsoftupdate.com as well.

 

Bryan Lucas

Server
Administrator

Texas
Christian University 

 







 

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Lucas, Bryan 
I must be missing something, I read:

* "The Blocker Toolkit will not prevent users from manually installing Internet 
Explorer 7 as a Recommended update from the Windows Update or Microsoft Update 
sites, from the Microsoft Download Center, or from external media. 

So it seems to me a hash rule combined with a filename rule should work unless 
they change both on me.

Bryan Lucas
Server Administrator
Texas Christian University

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Thursday, October 19, 2006 12:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Blocking IE7

You might want to re-read the page that you linked to below, since it answers 
all of your questions.
 
1. That toolkit is *not* designed to block WSUS deployments. With WSUS, you 
would simply not approve the update.
2. That toolkit *is* designed to block both the executable and automatic update 
installations.
 
Laura


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006 12:55 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Blocking IE7
I see how to block IE7 from deploying through WSUS, but what I don't see is a 
way to block a user from manually installing it.

(http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

Our users are 90% XP SP2 and managed through GP.  What about building a 
restricted software GPO that has a hash of iesetup7.exe (if that even exists)?

I want to restrict them from getting it through microsoftupdate.com as well.

Bryan Lucas
Server Administrator
Texas Christian University

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] Blocking IE7

2006-10-19 Thread Matt Hargraves 
I believe that disabling the Automatic Updates service via GPO will block them from installing it, not 100% sure though.Since you're in an educational environment, things can be a little dicey there.  You can't restrict the internet (government funds thing) and I don't know offhand whether the IE7 installs through Windows Update are running as Local System or as the user that is logged in.  If it's running as the user account, you can simply deny them the right to install software, but if it's running as the local System, things are a little more ugly.
On 10/19/06, Lucas, Bryan <[EMAIL PROTECTED]> wrote:
















I see how to block IE7 from deploying through WSUS, but what
I don't see is a way to block a user from manually installing it.

 

(
http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

 

Our users are 90% XP SP2 and managed through GP.  What
about building a restricted software GPO that has a hash of iesetup7.exe (if
that even exists)?

 

I want to restrict them from getting it through
microsoftupdate.com as well.

 

Bryan Lucas

Server Administrator

Texas Christian University


 

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Kevin Brunson 








http://www.microsoft.com/downloads/details.aspx?FamilyId=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en

 

If they are local admins, this will not
block them from manually installing it, but if they are local admins, there
aren’t a whole lot of options.

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lucas, Bryan
Sent: Thursday, October 19, 2006
11:55 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Blocking IE7



 

I see how to block IE7 from deploying through WSUS, but what
I don’t see is a way to block a user from manually installing it.

 

(http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)

 

Our users are 90% XP SP2 and managed through GP.  What
about building a restricted software GPO that has a hash of iesetup7.exe (if
that even exists)?

 

I want to restrict them from getting it through
microsoftupdate.com as well.

 

Bryan Lucas

Server Administrator

Texas Christian University

 

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Laura A. Robinson 



"
Toolkit Components:The toolkit contains two 
components:

  An executable blocker script 
  A Group Policy Administrative Template (.ADM file) 
  Blocker 
ScriptThe script creates a registry key and sets the associated 
value to block or unblock (depending on the command-line option used) automatic 
delivery of Internet Explorer 7 on either the local machine or a remote target 
machine.Registry key: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Setup\7.0 Key 
value name: DoNotAllowIE70

  When the key value name is not defined, 
  distribution is not blocked. 
  When the key value name is set to 0, distribution 
  is not blocked. 
  When the key value name is set to 1, distribution 
  is blocked. The script has the 
following command-line syntax:     IE70Blocker.cmd 
[] [/B] [/U] [/H] Machine NameThe 
 parameter is optional. If not specified, the action is 
performed on the local machine. Otherwise, the remote machine is accessed via 
the remote registry capabilities of the REG command. If the remote registry 
can’t be accessed due to security permissions or the remote machine can’t be 
found, an error message is returned from the REG command. 
SwitchesSwitches used by the script are mutually 
exclusive and only the first valid switch from a given command is acted on. The 
Script can be run multiple times on the same machine without problem.

  /B - Blocks distribution 
  /U - Unblocks distribution 
  /H or /? - Displays the following summary help: 
            
       This tool can be used to remotely block or unblock 
the delivery of                 
 Internet Explorer 7 via Automatic Updates.         
         
     
             Usage:       
           IE70Blocker.cmd [] 
[/B][/U][/H]                  B 
= Block Internet Explorer 7 deployment           
       U = Allow Internet Explorer 7 deployment   
               H = 
Help                  
 Examples:                 
 IE70Blocker.cmd mymachine /B (blocks delivery on machine "mymachine") 
                 
IE70Blocker.cmd /U (unblocks delivery on the local machine)     
             
 
Group Policy Administrative 
Template (.ADM file)The Group Policy Administrative Template (.ADM file) 
allows administrators to import the new Group Policy settings to block or 
unblock delivery of Internet Explorer 7 into their Group Policy environment, and 
use Group Policy to centrally execute the action across systems in their 
environment. After adding this administrative template to the Group 
Policy Editor you must uncheck the "Only show policy settings that can be 
fully managed" in the Filtering dialog before the new policy becomes visible 
in the Group Policy Editor. This option is found by highlighting "Administrative 
Templates", then selecting "View" then "Filtering". You will then see the policy 
under "Computer Configuration / Administrative Templates / Windows Components 
/ Windows Update / Automatic Updates Blockers". This setting is available 
only as a Computer setting; there is no per-User setting. Note: 
This registry setting is not stored in a policies key and is thus considered a 
preference. Therefore if the Group Policy Object that implements the setting is 
ever removed or the policy is set to "Not Configured", the setting will remain. 
To unblock distribution of Internet Explorer 7 using Group Policy set the policy 
to "Disabled". Answers to Frequently Asked Questions can be found 
here."

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, 
  BryanSent: Thursday, October 19, 2006 12:55 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Blocking 
  IE7
  
  
  I see how to block IE7 from 
  deploying through WSUS, but what I don’t see is a way to block a user from 
  manually installing it.
   
  (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)
   
  Our users are 90% XP SP2 and 
  managed through GP.  What about building a restricted software GPO that 
  has a hash of iesetup7.exe (if that even exists)?
   
  I want to restrict them from 
  getting it through microsoftupdate.com as well.
   
  Bryan 
  Lucas
  Server 
  Administrator
  Texas 
  Christian University
   

RE: [ActiveDir] Blocking IE7

2006-10-19 Thread Laura A. Robinson 



You 
might want to re-read the page that you linked to below, since it answers all of 
your questions.
 
1. 
That toolkit is *not* designed to block WSUS deployments. With WSUS, you would 
simply not approve the update.
2. 
That toolkit *is* designed to block both the executable and automatic update 
installations.
 
Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Lucas, 
  BryanSent: Thursday, October 19, 2006 12:55 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Blocking 
  IE7
  
  
  I see how to block IE7 from 
  deploying through WSUS, but what I don’t see is a way to block a user from 
  manually installing it.
   
  (http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en)
   
  Our users are 90% XP SP2 and 
  managed through GP.  What about building a restricted software GPO that 
  has a hash of iesetup7.exe (if that even exists)?
   
  I want to restrict them from 
  getting it through microsoftupdate.com as well.
   
  Bryan 
  Lucas
  Server 
  Administrator
  Texas 
  Christian University
   

Re: [ActiveDir] Blocking IE7

2006-10-19 Thread Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] 
Make them non admin (I mean now that Quickbooks can run as non 
admin..what's your excuse? ;-)


This blocking tool is for just that.

BTW the IE 7 will come through as a "update rollup" so that if you do 
not have this checked it won't autodownload.


AU isn't expected to start until November btw.


Lucas, Bryan wrote:


I see how to block IE7 from deploying through WSUS, but what I don’t 
see is a way to block a user from manually installing it.


(http://www.microsoft.com/downloads/details.aspx?FamilyID=4516A6F7-5D44-482B-9DBD-869B4A90159C&displaylang=en 
)


Our users are 90% XP SP2 and managed through GP. What about building a 
restricted software GPO that has a hash of iesetup7.exe (if that even 
exists)?


I want to restrict them from getting it through microsoftupdate.com as 
well.


Bryan Lucas

Server Administrator

Texas Christian University



--
Letting your vendors set your risk analysis these days?  
http://www.threatcode.com


If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will 
hunt you down...
http://blogs.technet.com/sbs

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx