changing permissions on Downloaded Program Files directory

[Les]

We are trying to deploy systems in our organization where
users are either regular users or power user, but not in
the local administrator group for their system. This is
to keep them from installing software or making changes
that can cause problems.

User can install Active-X components in IE, but they can
not remove them because they don't have the correct access
to Downloaded Program Files directory. When they go there
and right click on an Active-X control and select Remove,
they get an error that says the current user account is
not authorized to remove items from this folder.

If I right click on this folder, it only has a General
tab. It does not have a Security tab. How can I grant
users or power users the ability to remove Active-X
controls?

If the same user opens a command prompt window and goes to
this directory, they are able to physically delete the
files, but now IE shows those controls as damaged and
still does not work correctly.

There must be a control somewhere to allow this.

Thanks,
-Les

 

[Les]

I guess I should point out that these are either Windows
2000 Pro or XP Pro systems.

 

[Mike Lin]

Hello Les,

Thank you for posting your question!

The "Downloaded Program Files" is a specific folder thus the configuration
is different. For the security purpose, we recommend you always use
Administrator accounts to install and uninstall Programs or Controls.
However, if it is applicable, we can modify the system32 folder permission
to allow power users to remove the Controls:

Please access the property of the "%systemroot%\system32" folder, and set
the Power User accounts to have the "Full Control" permission on this
folder. Or if you would like to restrict the access, I also recommend you
remove the write permission for Power Users in this folder.

Then, please try to install or uninstall ActiveX components. I recommend
you use the Windows Update Control by accessing
"http://windowsupdate.microsoft.com" to test the new configuration.

Have a good day!

Regards,

Mike Lin, MCSA/ MCDBA/ MCSE

Microsoft Online Support
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Les]

I was able to add full access for power users to the
System32 directory on both Windows 2000 and XP Pro. Then
I logged in as a power user, added an Active X component,
and then tried to remove it. I got the same error message
that the current user is not permitted.

Also, I tried to go to https:\\windowsupdate.Microsoft.com
on both OS's and was told I had to be an Administrator to
run windows update. This is not important for us, just
being able to remove the Active X that we install.

 

[Mike Lin]

Hello Les,

Thank you for your reply.

We have performed further research on this issue. However, as the error
message indicated, we found only administrator accounts can safely remove
ActiveX controls from this folder. As I indicated in my previous message,
this is a special folder. To remove Controls within this folder, users need
to have the ability to remove critical system resources such as the Class
registration, which may cause serious system problems. For the security
purpose, only administrators are allowed to remove downloaded ActiveX
Controls.

For your information, when researching this issue, we found we can use the
"cacls" tool to modify the permission on this folder, but this still cannot
allow users or power users to remove ActiveX Controls within this folder.
The command is:

cacls "c:\winnt\downloaded program files" /G users:F

I hope this message helps. If you need further information, please let me
know. It is my pleasure to be of assistance.

Regards,

Mike Lin, MCSA/ MCDBA/ MCSE

Microsoft Online Support
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mike Lin]

Hello Les,

Thank you for your experience sharing.

The mechanism of removing an ActiveX Control and some other system
components are similar, thus a user can remove an ActiveX control can also
remove these components. Power Users can open the regedit program but
cannot access all of the registry entries or files, thus will be denied to
remove the control.

It seems you have found a workaround of the issue. Am I correct? If you
need further information on this issue, please let me know. I will be glad
to be of further assistance.

Regards,

Mike Lin, MCSA/ MCDBA/ MCSE

Microsoft Online Support
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mike Lin]

Hello Les,

Thank you for your reply. I am glad to hear that your workaround can meet
your customers' requests.

Have a nice weekend!

Regards,

Mike Lin, MCSA/ MCDBA/ MCSE

Microsoft Online Support
Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.