Restricting programs

[Laser]

We use XP-Pro (Sp2) Is there any way to restrict users from playing MS
Solitaire. Employees often play this during business hours. I know I can
removed the program but it is easy to reinstall.

Thanks in advance

Mike

 

[Guest]

It can be done, but only from an administrator account.

Click on Start button, then Run and type "gpedit.msc", without quotes into
the run dialog box. Group policiy will load. Expand "Administrative
templates" and then click on "System". Click on "Don't run specified Windows
applications" on the right. A new window will appear; choose "Enable" part of
the program window, then click on "Show", and again a new window will open.
Click "Add" here and type sol.exe, which is the executable for Solitaire in
"Enter the item to be added" dialog box.

Now to prevent your employees to begin playing Spider solitaire you can add
spider.exe, which is the executable for Spider solitaire here to prevent them
to start wasting their time with Spider solitaire.

Of course you can add also other applications.

Hope this help

Mitja

 

[Laser]

Hi Mitija,

Thanks for the suggestion, I just have one question. Please excuse me if
this is a stupid question but I'm quite the newbee to all of this.

What is spider solitaire and why would that be better?

Mike

 

[Guest]

Windows XP Pro comes with two solitaire games: Solitaire and Spider
solitaire. So, Spider solitaire is just another version of solitaire, which
has 3 levels of difficulty (Easy - One suit, Medium - Two Suits and Difficult
- Four Suits). I suggested you to block also spider solitaire because to my
experience employees usually find another game to waste time with, when the
administrator blocks their favourite game.

You can find all games which are installed during Windows installation
procedure by clicking Start, then All Programs and then Games. You might even
consider blocking all games.

Mitja

 

[Laser]

Ohhh., am I stupid...

I figured out what you were saying regarding Spider Solitaire.

I implemented your suggestion and it works great however, do you know of any
way to change the message that is displayed when a user try's to run
deactivated game?

Thanks

Mike

 

[Guest]

I think that the message text displayed when a user tries to run a restricted
program cannot be changed. I might be wrong, I just don't know any way how to
change it.

Mitja

 

[Steve Riley [MSFT]]

You are describing a non-technical problem that is better solved
managerially than with a technical control.

Do you have acceptable use policies at your organization? Have employees
signed such a policy? Does your policy prohibit playing games or other
non-work related use of machines during work hours? If so, then the
employees are willfully violating the policy.

Willful policy violation is punishable offense. Use the power of HR here.
What about if employees install peer-to-peer networking programs? This,
IMHO, is a fireable offense.

Steve Riley
(e-mail address removed)

 

[Doug Knox MS-MVP]

Why do you consider this a non-technical problem, Steve? There is a section in the Group Policy Editor that specifically allows an Administrator to prohibit specific applications.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Steve Riley [MSFT]]

I view SRP more as a tool to define and limit acceptable behavior, which
just so happens as a nice side effect to help keep malware from running. If
you can't keep it from getting installed on the computer, then a
well-crafted role-based SRP that uses an allow list will block the malware
from executing. My favorite is to have multiple SRPs that reflect various
user role classifications, but all of them are of the allow-list variety:
enumerate the applications that are allowed, and block everything else.

I know, this will have the same effect: stopping Solitare (if Solitare isn't
on the list). However, in the case below, Mike is asking about how to block
a specific program. Solitare is not really the problem here: it's merely the
symptom. A symptom of utter disdain for the organization. Look at what Mike
wrote: "I know I can remove the program but it is easy to reinstall."
Presumably employees here would do just that, and actively circumvent a
policy. And if Mike successfully thwarts all attempts at running Solitare,
people will just play some other game. It is impossible to block all the bad
stuff: you'll never know it all.

These are not the kind of employees to keep around. The more time I spend
thinking about the human side of security, the more I'm becoming a believer
in managerial enforcement of policy, whatever such enforcement might
involve.

Steve Riley
(e-mail address removed)



Why do you consider this a non-technical problem, Steve? There is a
section in the Group Policy Editor that specifically allows an Administrator
to prohibit specific applications.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com

 

[Doug Knox MS-MVP]

Oh, I agree, Steve. But there are specific tools that can be used to enforce policy. Don't let the kid in the cookie jar and he can't eat the cookies. Then, if you find that employees are bypassing security, as long as you have a strict, well defined "Securty Policy", then you take disciplinary action. But, we all know what human nature is, so we should apply and define the policy, and relavent security measures, then resort to more drastic action when the employee tries to subvert those policies.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com