Adding restricted access but allowing Windows\Norton Updates

[Guest]

Sarbanes and Oxley have been auditing our company and they have given us the
role as IT to restrict user access on our network. My question is what
"group" would I add a user so that he/she will be restriced to install any
3rd party software such as google toolbar, or messngers, but still be able to
pull down windows and norton antivirus updates? Ive tried this on power user
and it doesnt work for the updates it says i have to be logged in as ADMIN,
however it does not allow installation of the google toolbar which was good.
I need help. Thanks

 

[Steven L Umbach]

You can use the free tools from SysInternals called filemon and regmon to
find where access is being denied and try to give the group needed access
which may also include write and modify. You would have to logon as the
restricted user and then start filemon with runas specifying admin
credentials and then try to run the restricted application. As soon as it
fails stop filemon logging, look for denied access entries [you can use
filter view to highlight specific searches] , tweak permissions for the
group for that file/folder and try again in a trial and error basis. You may
also have to use regmon to look for access denied for registry keys. Suspect
areas would be the application folder or folders in program files,
subfolders for the application in program files\common files, and subfolder
for the application in documents and settings\all users\application data.
Note however it is not always possible to allow a regular user to run
everything that an administrator can [such as secpol.msc for example] due to
hard coded restrictions in the operating system that only allow
administrator/system access which will often show as an object access
failure if auditing of object access is enabled which it should not be on a
routine basis. --- Steve

http://www.sysinternals.com/Utilities/Filemon.html --- filemon and link to
SysInternals