Deny Software installation

J

John B

XP Pro

Can anyone tell me how to "Disallow" software installation for the "Guest"
account?

Right now the "Guest" account can install software, they just get the
warning box "install program as other user" and they can go ahead and
install the application without logging in as an "Administrator".

I want to setup the machine so NO software period can be installed by the
"Guest" account, weather they know an administrator logon or not.

Thanks,

John Barnes
(e-mail address removed)
 
M

Michael Solomon \(MS-MVP Windows Shell/User\)

The way to do it is exactly what you've done except you don't give out your
logon. That's how it is done in XP and if you give out your admin logon,
you essentially defeat the security of using the guest account.

In other words, it is already turned off in the Guest account. When they
use your logon, they are bypassing the Guest account and using information
you've apparently given them to do so. Even if you had XP Pro, there's no
rule in Group Policy editor you could create to do what you are asking as it
would essentially turn off admin rights.

Now that you've given up the security you can either change your login
information or you can get a third party application to handle this because
you've compromised the security and the means of handling what you wish to
prevent.
 
J

John B

I haven't given out my admin logon.

When Guest account try's to load software, a dialog comes up stating that
some programs won't install/run correctly unless htey are installed under an
account with administrative rights. The dialog then has two radio buttons
that will allow the Guest account to either logon as an adminsistrator
account or load the program using the existing account (i.e., the Guest
account). The user can continue to install the program if he chooses not to
use the radio button selection that allows him to logon as an administrator.
Therefore loading the software under the Guest account.

JB
 
M

Michael Solomon \(MS-MVP Windows Shell/User\)

They cannot log into an admin account that doesn't exist. If it exists, it
should certainly be password protected. The box that comes up should also
have a password box as well as an ID, if they know the password, for an
admin account, then they can certainly do what you are suggesting. If the
accounts are password protected, then we need a fuller understanding of what
is going on because without knowing the logon information, they shouldn't be
able to do this and I've just tested it on my own setup: my admin accounts
require a password.
 
G

Guest

Why not
1) Turn off or disable the guest account, it should never be availabl
2) If you just have to open up this security risk, use the MMC console calle
'services.msc' and disable the 'run-as' servic
3) I totally agree....giving out the admin password negates the purpose o
having security features in the first place....'just say NO'........
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Deny Software installation 1
Disable CD rom access 1
"Access Denied" when disabling "Services" as the Administrator 1
user accounts info needed 1
windows xp pro guest account 1
writing to registry in vista from guest account 7
Windows XP Changing power scheme in windows XP 2
Admin Account(s) 2

Top