How do I prevent flash player download and install?

[exg001]

At work, we are still running NT. Unfortunately, one of the servers is
Terminal Server so I have a lot of users using it and surfing. Just
about every site in the world is using Adobe's Flash Player, but the
latest you can have on NT is version 7.

All I want to do is prevent Flash from trying to get the latest
version for my users. It's a selfish reason: they keep getting error
messages, and the server's hard drive keeps filling up with a million
copies of FP_AX_CAB_INSTALLER.exe in DOWNLOADED PROGRAM FILES folder.
So every now and then, I have to clear out 1 GB of junk from there.

I have tried setting IE to disable Install on Demand (Other). I even
tried putting 0.0.0.0 download.macromedia.com in the hosts file.

I hate Flash, but I know it's used. Any idea how I can prevent this?

BTW, the error message users get (regardless of admin or not):

Adobe Flash Player ActiveX Setup
Failed to install. For troubleshooting tips, please see
http://www.adobe.com/go/tn_19166

 

[VanguardLH]

At work, we are still running NT. Unfortunately, one of the servers
is
Terminal Server so I have a lot of users using it and surfing. Just
about every site in the world is using Adobe's Flash Player, but the
latest you can have on NT is version 7.

All I want to do is prevent Flash from trying to get the latest
version for my users. It's a selfish reason: they keep getting error
messages, and the server's hard drive keeps filling up with a
million
copies of FP_AX_CAB_INSTALLER.exe in DOWNLOADED PROGRAM FILES
folder.
So every now and then, I have to clear out 1 GB of junk from there.

I have tried setting IE to disable Install on Demand (Other). I even
tried putting 0.0.0.0 download.macromedia.com in the hosts file.

I hate Flash, but I know it's used. Any idea how I can prevent this?

BTW, the error message users get (regardless of admin or not):

Adobe Flash Player ActiveX Setup
Failed to install. For troubleshooting tips, please see
http://www.adobe.com/go/tn_19166

Rather than trying to push a hosts file onto your workstations, and
since they probably are configured to use DHCP which means they use
*your* DNS server, why not block the IP address lookup in your DNS
server?

As an example, I use OpenDNS from home. In my account there, I can
block lookups on specified domains. So when someone or a program
tries to connect to <somesite> then the DNS lookup will fail and the
someone or program will not get an IP address. Humans want readable
IP names. Computers require IP addresses. If the computer doesn't
get the IP address, it can't connect to that host. It is unlikely
that users are going to use IP addresses to circumvent the DNS lookup
rejection. Programs are rarely encoded to use IP addresses and
instead will use an IP name which requires the DNS lookup.

I am suspect of your intention. Someone claiming to be an
administrator over users (plural) would have their own e-mail account
at their own mail server or e-mail provider and not using a Gmail
account, and they would be posting using a real newsreader rather than
through Google Groups. Real admins don't post through Google Groups.
Real admins have a real e-mail address (or will munge it or not even
use a valid one when posting to Usenet).

 

[exg001]

Rather than trying to push a hosts file onto your workstations, and
since they probably are configured to use DHCP which means they use
*your* DNS server, why not block the IP address lookup in your DNS
server?

As an example, I use OpenDNS from home.  In my account there, I can
block lookups on specified domains.  So when someone or a program
tries to connect to <somesite> then the DNS lookup will fail and the
someone or program will not get an IP address.  Humans want readable
IP names.  Computers require IP addresses.  If the computer doesn't
get the IP address, it can't connect to that host.  It is unlikely
that users are going to use IP addresses to circumvent the DNS lookup
rejection.  Programs are rarely encoded to use IP addresses and
instead will use an IP name which requires the DNS lookup.

I am suspect of your intention.  Someone claiming to be an
administrator over users (plural) would have their own e-mail account
at their own mail server or e-mail provider and not using a Gmail
account, and they would be posting using a real newsreader rather than
through Google Groups.  Real admins don't post through Google Groups.
Real admins have a real e-mail address (or will munge it or not even
use a valid one when posting to Usenet).- Hide quoted text -

- Show quoted text -

I appreciate your little idea, regardless of the fact that you are not
fully reading my post. I will try blocking some site at my
DNS...maybe all of *adobe.com*.

As for my real intentions and using my own gmail account and posting
on Google Groups instead of using a 'real' newsreader, what exactly
would my "intentions" be other than what I stated? Of course you
didn't fully read it, so I can't expect a proper answer.

Thanks anyway.

 

[VanguardLH]

:








Rather than trying to push a hosts file onto your workstations, and
since they probably are configured to use DHCP which means they use
*your* DNS server, why not block the IP address lookup in your DNS
server?

As an example, I use OpenDNS from home. In my account there, I can
block lookups on specified domains. So when someone or a program
tries to connect to <somesite> then the DNS lookup will fail and the
someone or program will not get an IP address. Humans want readable
IP names. Computers require IP addresses. If the computer doesn't
get the IP address, it can't connect to that host. It is unlikely
that users are going to use IP addresses to circumvent the DNS
lookup
rejection. Programs are rarely encoded to use IP addresses and
instead will use an IP name which requires the DNS lookup.

I am suspect of your intention. Someone claiming to be an
administrator over users (plural) would have their own e-mail
account
at their own mail server or e-mail provider and not using a Gmail
account, and they would be posting using a real newsreader rather
than
through Google Groups. Real admins don't post through Google Groups.
Real admins have a real e-mail address (or will munge it or not even
use a valid one when posting to Usenet).- Hide quoted text -

- Show quoted text -

I appreciate your little idea, regardless of the fact that you are not
fully reading my post. I will try blocking some site at my
DNS...maybe all of *adobe.com*.

As for my real intentions and using my own gmail account and posting
on Google Groups instead of using a 'real' newsreader, what exactly
would my "intentions" be other than what I stated? Of course you
didn't fully read it, so I can't expect a proper answer.

Thanks anyway.



--- REPLY SEPARATOR ---
Only required because above poster used QUOTED-PRINTABLE format.
When posting to newsgroups, do NOT use quoted-printable format.
* Not all NNTP clients handle quoted-printable format.
- Some users still use console-mode (non-GUI) NNTP clients.
- The long lines may not wrap properly.
- Scrolling is needed if the long line does not get wrapped.
- The long line may get truncated at the window's width.
- Quoted-printable format uses special character sequences for
logical formatting. View the raw source of your post. Text-
only clients may show that encoding when viewing your post.
* Quoting levels get mangled, especially for multiple replies.
* In replies, there is no clear delineation of content.
- Cannot tell what content is from the original poster and
what is from the respondent.
- Makes impossible to determine who said what when a reply
inserts comments inline with the quoted content.
---[end of comments]---

Hence another reason not to use Google Groups because it will
sometimes decide to use quoted-printable format which is not
appropriate for Usenet posts, and ****s up quoting.

That the users are using their own workstations or using TS to one
host to connect to the Internet from there is somewhat irrelevant. TS
only lets you focus *local* solutions on that host to which the users
connect. Blocking access to the sites using DNS rejection is one way.
You could do the DNS rejection for all users at the company or you
could create an account just for that TS host which has its own
blocking rules. Blocking URL substrings or IP addresses at the router
is another solution, and you can probably even specify for which hosts
the blocking is implemented, so you could make it global or local to
just the TS host. Using a software firewall running on just that TS
host to use a rule to block on URL or IP addresses is another solution
to block just the TS users.

It seems you have lots of methods of blocking users from getting the
flash update.

 

[David Morgan \(MAMS\)]

It seems you have lots of methods of blocking users from getting the
flash update.

If the OP continues to delete items from the Downloaded Programs folder,
he's continually throwing away items necessary to view a *huge* amount
of websites, codecs for media player, and a small handful of other items
usually fairly pertinent to smooth Windows internet and media operation.
Pages will fail to fully load, browsers may lock up or crash without it...
depending on it's removal. Jerking out of the Downloaded Programs
folder *isn't* removing it.... it's causing the PC to lose track of it.

My suggestion would be to simply update the PCs, stay out of the down-
loaded programs folder (other than random inspection of the contents),
and be done with the 'pop-up' issue. We're creating problems here by
randomly dis-associating IE with working interfaces while leaving the
commands to find the item, if I'm not sadly mistaken.

I hate IE7... and I hate VISTA... but I have to deal with them. Flash is a
completely innocuous media carrier - it's trivial and harmless. So much
content and page layout is delivered through Flash these days... removing
it is somewhat akin to saying, I don't like Direct-X. <stretching reality>

"I know it's used" is a grotesque understatement... it's rapidly becoming the
preferred delivery medium for animation, motion advertising, movies, camera
interfaces, web content, etc.. Randomly removing the executable after it has
become a part of the registry and logged itself as a plugin to web browsers
etc., seems to me like pure trouble in the making.

Of course, I could be wrong.


DM

 

[VanguardLH]

If the OP continues to delete items from the Downloaded Programs
folder,
he's continually throwing away items necessary to view a *huge*
amount
of websites, codecs for media player, and a small handful of other
items
usually fairly pertinent to smooth Windows internet and media
operation.
Pages will fail to fully load, browsers may lock up or crash without
it...
depending on it's removal. Jerking out of the Downloaded Programs
folder *isn't* removing it.... it's causing the PC to lose track of
it.

My suggestion would be to simply update the PCs, stay out of the
down-
loaded programs folder (other than random inspection of the
contents),
and be done with the 'pop-up' issue. We're creating problems here
by
randomly dis-associating IE with working interfaces while leaving
the
commands to find the item, if I'm not sadly mistaken.

I hate IE7... and I hate VISTA... but I have to deal with them.
Flash is a
completely innocuous media carrier - it's trivial and harmless. So
much
content and page layout is delivered through Flash these days...
removing
it is somewhat akin to saying, I don't like Direct-X. <stretching
reality>

"I know it's used" is a grotesque understatement... it's rapidly
becoming the
preferred delivery medium for animation, motion advertising, movies,
camera
interfaces, web content, etc..

Part of the "etc." is also that some web sites don't like to be
crawled. Although they may have the directive in their robot file to
tell well-behaved web crawlers that they are not to go digging through
all the links in a site, the not well-behaved crawlers will do it
anyway. Using Flash probably makes it near impossible to crawl
through all pages of a web site or to even get off the home page. And
unlike trying to use cookies or referrer to restrict direct access to
web pages and instead require that you navigate from one of their
prior pages, Flash can regulate navigation through a web site's pages.
I see Flash often used for security.

 

[David Morgan \(MAMS\)]

Part of the "etc." is also that some web sites don't like to be
crawled.

I'm sorry, I fail to see where you're going with this... it's not addressing
the issue you may be creating in the PCs you rip files out of or choose
to block from one of the most widely used content delivery systems.

Although they may have the directive in their robot file to
tell well-behaved web crawlers that they are not to go digging through
all the links in a site, the not well-behaved crawlers will do it
anyway. Using Flash probably makes it near impossible to crawl
through all pages of a web site or to even get off the home page. And
unlike trying to use cookies or referrer to restrict direct access to
web pages and instead require that you navigate from one of their
prior pages, Flash can regulate navigation through a web site's pages.
I see Flash often used for security.

Which is it... hate or the praises you're singing here?

motzarella.org looking for some new information or is Google just getting old?

DM

 

[David Morgan \(MAMS\)]

Sorry...

DM

 

[VanguardLH]

I'm sorry, I fail to see where you're going with this... it's not
addressing
the issue you may be creating in the PCs you rip files out of or
choose
to block from one of the most widely used content delivery systems.

You were stating why Flash is used but didn't mention security is one
of the reasons to use it.

Which is it... hate or the praises you're singing here?

He is wearing a blue sweater. She is wearing a pink sweater. Where
do you see hate or praise in those statements?

motzarella.org looking for some new information or is Google just
getting old?

Don't know what you were *attempting* to ask or state here. It just
rambles. I use motzarella whenever my Giganews monthly quota gets
consumed which is maybe twice a year but I get stuck using motzarella
for a month or two until my quota gets reset (I used to use AIOE but
it has a limit of 25 posts per day, requires using FollowUp-To on
cross-posted replies which is not RFC required, and is down too
often). I don't post through Google Groups. Of course, I'm just
rambling here trying to guess what your rambling meant.

 

[Tom K]

To disable AutoUpdate try this for Flash...
http://kb.adobe.com/selfservice/viewContent.do?externalId=16701594&sliceId=1


You didn't ask for it but, to disable AutoUpdate try this for Shockwave...
http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_16683&sliceId=2

This is a "single user" fix for Shockwave. For company-wide here's the
VBScript snippet to turn off AutoUpdate (and Data Collection)...

Const ShockwaveReg = "\Software\Macromedia\Shockwave 10"
Set oShell = CreateObject("WScript.Shell")
oShell.RegWrite "HKCU" & ShockwaveReg & "\AutoUpdate\", "n", "REG_SZ"
oShell.RegWrite "HKCU" & ShockwaveReg & "\collectstats\", "n", "REG_SZ"
oShell.RegWrite "HKLM" & ShockwaveReg & "\AutoUpdate\", "n", "REG_SZ"
oShell.RegWrite "HKLM" & ShockwaveReg & "\CollectStatistics\", "n", "REG_SZ"

Hope this helps.

Tom

 

[David Morgan \(MAMS\)]

Of course, I'm just rambling here trying to guess what your rambling meant.

You must have missed my apology. I mistook your post for the OP last night,
who claims to dislike shockwave so badly that he regularly empties the
Dowloaded Programs folders in company PCs to eliminate it.