Installing a program itself is running a program involving setup.exe,
install.exe, misexec.exe, etc. Software Restriction Policies are very
effective at preventing that. Regular users have write access usually to
only their profile and possibly the root/drive folder [where you may want
users/everone to have no more that read/list/execute including advanced
permissions page]. You could create a path rule to their profile folder that
disallows running any application from there and they will not be able to
install or run software from their profile but still be able to run other
programs on their computer. There is a Group Policy user configuration
setting in administrative templates/system where you can populate the
disaalowed Windows applications list and some will add install.exe and
setup.exe to that list. However Local Group Policy applies to all users on a
computer, including administrators though SRP can exempt administrators with
the enforcement rule. --- Steve