Policy template to block MSN Messenger 6.2?

[KJ]

The company I work for discourages Messenger use. In the past, we used
a registry setting to prevent MSN messenger from running however it
only works up to version 4.7. We have had a rash of people downloading
newer versions and installing it. Unfortunatley, we have some critical
apps that require everyone to have local admin rights on thier pcs.

The XP system.adm policy has a setting to block messenger, but it
doesn't seem to work on ver 6.2. and I suspect that that setting is
ignored on Win2K pcs.

Will system.adm from Windows Server 2003 block the newer versions of
MSN Messenger (post 4.7) and will the policy apply to Win2K systems? I
would try it but I don't have access to that version of Windows
Server.

If anyone has another automated method for disabling MSN Messenger
6.2, please do tell. I have searched like crazy and can't find an
answer.

Thanks,
KJ

 

[Dave Yates]

I would also like a solution to this if anyone can help. We have just under
200 Win2K PC's and we run a training organisiation, and the clients seems
infatuated with MSN, Yahoo, AOL etc, so if anyone knows a way of blocking
installation and/or usage of this, it would be a great help.

Thanks

Regards

Dave

 

[Steven L Umbach]

In Windows XP Pro you can use Software Restriction Policies to prevent users
from running or installing unathorized sofware via hash/path/certificate
rules. You could start with a hash of the executeable for version 6.2 and
set it to disallowed but you can do much much more with combinations of path
and hash rules. SRP takes a little time getting used to setting up and it
can be applied via Group Policy to a large number of computers. You can also
manage it for XP Pro computers in a W2K domain for computer configuration by
managing the Group Policy for the domain from an XP Pro Computer. It is much
more difficult to restrict on a W2K box though you can populate the
disallowed Windows applications setting under user
configuration/administrative templates/system to include the names of
executeables and I would also add install.exe, setup.exe, and maybe
msiexec.exe to the list. That configuration in W2K will not work if a user
renames the executeable or is able to logon to the machine locally.
Configuring your firewall or installing personal firewalls to not allow
access to unathorized internet applications may be another thing to look at.
Ipsec filtering can be used as a crude built in firewall in W2K/XP Pro
though software firewalls are able to have access rules mapped to MD5
protected executeable hashes. The links below may be helpful with the last
link extremely helpful in showing how to maximize the effectiveness of
Software Restriction Policies. ---- Steve

http://support.microsoft.com/?kbid=310791
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx