I would verify that the users in question are only regular users and not members of
the power users or local administrators group. Also examine security on the program
files folder which does not let regular users write access in a default installation.
Keep in mind that if a user can boot from a floppy or cdrom that there are widely
available free tools to reset the built in administrators account password to null. I
would also check ownership of those folders to see if it shows user or
administrators. Create a new regular user account, logon as that user and try
yourself to see if you can install the mentioned programs to the program files folder
that does not have write access for regular users.
Windows XP Pro has the very powerful Software Restriction Policies to enforce what a
user can run on their computer. W2K does not have that but you may have some luck
populating the disallowed Windows application list in Group Policy under user
configuration/administrative templates/system and adding at least install.exe and
setup.exe. You also want to make sure that the Group Policy setting for users for
"always install with elevated privileges" is disable which will allow regular users
to install .msi applications. That setting is under both computer and user
configuration/administrative templates/Windows components/Windows installer. Also
check that the users/everyone groups have only read/list/execute permissions to the
root/drive folder and also look in advanced permissions. A more extreme measure that
I have tested with pretty good results but have not tried for every possible case is
to go the users folder under documents and settings and go to security page/advanced.
Add the user and then in apply onto select files only and give the user deny
permissions for traverse folder/execute file. If you want to try it, do it on just a
few users computers for a while to make sure user is not denied needed access to an
application. Good luck. --- Steve
I have many people setup as USERS in Win2K pro. Why are they able to install programs?
Specialically, everytime I go to a computer, they have installed chat programs such
as ICQ & AOL IM and some other international ones as well. And they are installed
underneath the Program Files directory as well, not even under their My Documents
folder, which I understand can be done as well.
I would love to set these people up as guests, but proxy settings don't hold for a
guest. Does anyone have an explanation or suggestion how to COMPLETELY lock outr a
person from installing software?
