Restricting installation of programs

[Dan]

I have a P2P network that has one workgroup. I would like
to restrict all "limited" users from being able to install
programs - any programs. It doesn't matter to me if I
have to set these restrictions for each user or on a group
level.

How can I do this?

 

[Jerry]

Limited Accounts - people cannot install software.

From the book "PC Magazine - Windows XP Solutions" page 160.

 

[Steven L Umbach]

If you are using XP Pro, you can configure Software Restriction Policies and use
certificate, hash, or path rules to limit what users can install and run. The
enforcement rule can be configured to not apply SRP to local administrators. More
than likely you would be using hash and path rules. Since you are not in a domain,
you would have to use SRP at the computer policy level. If interested see the links
below and I recommend that you configure a tests computer before any rollout. ---
Steve

http://support.microsoft.com/?kbid=310791
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx

 

[dan]

I not sure the limited accounts do actually limit
installation of all programs? I just setup a test system
and went into a limited account and it allowed me to
install norton system works. So I don't have much
confidence that the "limited" account alone will do the
job...

 

[dan]

Thanks for the reply but I'm not trying to prevent
programs from running. I'm just trying to prevent all
programs from being installed. I'm surprised this isn't a
standard setting in xppro...

Any ideas on simply restricting installations...

 

[Steven L Umbach]

Installing a program itself is running a program involving setup.exe,
install.exe, misexec.exe, etc. Software Restriction Policies are very
effective at preventing that. Regular users have write access usually to
only their profile and possibly the root/drive folder [where you may want
users/everone to have no more that read/list/execute including advanced
permissions page]. You could create a path rule to their profile folder that
disallows running any application from there and they will not be able to
install or run software from their profile but still be able to run other
programs on their computer. There is a Group Policy user configuration
setting in administrative templates/system where you can populate the
disaalowed Windows applications list and some will add install.exe and
setup.exe to that list. However Local Group Policy applies to all users on a
computer, including administrators though SRP can exempt administrators with
the enforcement rule. --- Steve