You can not really stop users from downloading files on the Internet short
of denying them access to the Internet. There are a couple of ways to do
this using Group Policy. The users can not get around this - no matter how
smart they might think they are. This may not be what you want to do. You
could allow them access to certain web sites and no where else. That would
be, as the other poster stated, more of a Firewall / ISA level solution.
This may also not work for your environment. The users could not get around
this, either. You can, however, prevent users from running certain
executables. This is also a Group Policy thing. The smarter users might be
able to get around this by simply changing the name of the .exe file.
Removing the domain user account object from the computer's local
Administrators group is almost always a good thing. I typically do not
allow the 'regular user' to have this situation. I have far too many horror
stories when this situation was allowed. Setting up the domain user account
to be a member of the computer's local Power User group is usually a better
solution as the users will still be able to add printers ( so, if you do not
want this then it would be a bad solution! ) and install some software.
This should prevent most applications from installing in the first case.
All those problematic applications that the users seem to love ( Hotbar,
AIM, etc. ) typically require that the user account being used have
administrative privs to the local computer account and the Power User
membership does not usually fulfill that requirement....usually!
HTH,
Cary
