Group Policy Help!!!

[Clayton]

Hello All
I have a question concerning installs and Internet
Explorer with the range of Group Policies
Here where I work I have a big problem with clients
downloading things like WebShots and ScreenSaver programs.
How can I stop all of this?
I have searched through Group Policy until I am blue in
the face.
I have locked down clients to the point they can not
change their desktops and most everything else but I can
not get them to stop downloading programs nor keep them
from installing them...
Is there a Group Policy (I might have missed) that I can
stop downloads, stop installs, stop everything period!!!?
Any Ideas?
Thanks

 

[Steven L Umbach]

Making that the users are only regular users is the first step. You can also try to
populate the disallowed Windows Applications list in Group Policy as explained in the
KB link below making sure to include install.exe and setup.exe which may help. You
can stop downloads via Internet Explorer by configuring the internet Web Content Zone
where there is an option to disable downloads and configure trusted sites for
downloads if there is a need to download from specific sites. You can configure Web
Content Zones via Group Policy and of course you will need to prevent users from
accessing them. That may not stop users from trying to use other programs such as
kazzaa if they are able to get that on their computers. The best defense for that is
to configure your firewall [or use ipsec filtering] to only allow authorized outbound
port access for users such as 80 tcp and 443 tcp for web browsing or in more severe
cases install a personal firewall on the users computers that can map firewall rules
to specific applications protected by an md5 hash so that a user or trojan could not
simply rename a file to use it for internet access. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://support.microsoft.com/default.aspx?scid=kb;en-us;174360

 

[Min0]

Sounds like you need not only Group Policy but ORGANISATIONAL POLICY as well



Dont overlook Security In Depth
My experience says:
If people can get away with it they will do it so...
Min0

 

[ajolivier]

what about a third party tool, like bordermanager

-----Original Message-----
Making that the users are only regular users is the

first step. You can also try to

populate the disallowed Windows Applications list in

Group Policy as explained in the

KB link below making sure to include install.exe and setup.exe which may help. You
can stop downloads via Internet Explorer by configuring the internet Web Content Zone
where there is an option to disable downloads and configure trusted sites for
downloads if there is a need to download from specific sites. You can configure Web
Content Zones via Group Policy and of course you will need to prevent users from
accessing them. That may not stop users from trying to use other programs such as
kazzaa if they are able to get that on their computers. The best defense for that is
to configure your firewall [or use ipsec filtering] to only allow authorized outbound
port access for users such as 80 tcp and 443 tcp for web browsing or in more severe
cases install a personal firewall on the users computers that can map firewall rules
to specific applications protected by an md5 hash so

that a user or trojan could not

 

[Clayton]

We do...but it does not work...people in General might
read the companies policies that pertain to something they
want.
The IT department is going to have an employee meeting on
this subject very soon.
Thanks