Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Client lockdown

Status
Not open for further replies.
torledo

torledo

IS-IT--Management
Oct 5, 2004
35
GB
Greetings All

We've got some very restrictive domain group polices for student accounts that disable run, cmd, control panel, copying to the desktop etc. but we are having a problem whereby users can save internet downloads to their home directory's/network shares and run them from there to install on the local machine.

They can't do this with proper windows apps that require admin/install rights but nuisance-ware such as 180SearchAssitant, comedy-planet, eMusicSetup and even Winzip have cropped up on a number of machines.

I recall my university having experienced this problem when they migrated to Windows 2000 so they turned to DeepFreeze, but i want to avoid using third party apps that restore the machine to a clean state.

Is there a way to stop this form happenig via group policy in Win2k either by preventing downloads from the internet or preventing installation of these downloads.

thanx
 
Sort by date Sort by votes
there are different things you can do with group policy.
eg. you can allow only certain .exe files to run.
you can disable downloading files from IE
for nuisanceware, you're better off getting things like adaware and spywareblaster turnng on the pcs.


list what you need to let the students do, and what you want to prevent them from doing...

these policies might help:
Administrative Templates\Windows Components\Internet Explorer Disable Automatic Install of Internet Explorer components
(for malware..)
USER Administrative Templates\Windows Components\Internet Explorer\Browser menus Disable Save this program to disk option
(for downloads)



Aftertaf
__________________
squiggle squiggle
 
Upvote 0 Downvote
We had this problem for a while as certain programs required us to give users power users access, as soon as we removed this level of access these programs cannot install.

Funweb
Hotbar
Smileycentral
180SearchAssitant
comedy-planet
and Coolwebsearch

The list goes on and on but i've tested and they all try to install to the Program Files or Windows directories which Restricted Users only have read access to so they fail to install.

Give it a try, i've found very few problems since we did this.

I don't mean to sound bitter, cold, or cruel, but I am, so that's how it comes out - Bill Hicks
 
Upvote 0 Downvote
If you mean f****** browser helper toolbars then that's a bit more tricky i managed to get around them by doing this.

Put this in a .reg file

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Enable Browser Extensions"="no"

Then run the below batch file at logon.

Regedit /s %Logonserver%\NETLOGON\Regfixes\IEToolbarfix.reg

That prevents the users from seing the toolbars NOT installing them, but as they can't see them they soon give up installing them.


I don't mean to sound bitter, cold, or cruel, but I am, so that's how it comes out - Bill Hicks
 
Upvote 0 Downvote
Thanks for info people, really helpful.

Aftertaf, thnx, managed to configure all sorts of restrictions for IE - need XP SP2 on all clients to restrict all IE 6 file downloads completely.

bofhrevenge2,
you were spot on with your suggestion. For some reason domain users were in the local administrators group on each machine! with admin access to the entire c drive. Is this by default when adding users in AD? if so i'm shocked.

Will now need to change that for every machine. Damn, if i knew ADSI or was any good at scripting i could do it in a snap.
 
Upvote 0 Downvote
No domain users should be in the local users group by default. I would test your software with this setup as some can cause problems when restricted user rights are used, but you will be running a much more secure setup.

There is a way to script the removal of these groups, if i find it i'll post it. There is also a feature called restricted groups but this is only available if you use a 2003 active directory, which i assume you are not.


I don't mean to sound bitter, cold, or cruel, but I am, so that's how it comes out - Bill Hicks
 
Upvote 0 Downvote
i've got the restricted groups feature when i open active directory users and computers in XP for our domain, i assume that if i tried adding a restricted group from xp it would conflict with the AD features actually available on our win2k domain controller.

Is there a registry key to modify local users and group ?
 
Upvote 0 Downvote
I honestly couldn't say, but i don't think restricted groups is supported in 2000 AD.

I don't mean to sound bitter, cold, or cruel, but I am, so that's how it comes out - Bill Hicks
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
642
fightaccording
fightaccording
lecombs1950
  • Locked
  • Question
PKI and Client server application
Replies
0
Views
180
lecombs1950
lecombs1950
kjv1611
  • Locked
  • Question
New Client Picks Up Old Client IP Address, Both now Share?
Replies
4
Views
263
kjv1611
kjv1611
HKNinja
  • Locked
  • Question
Client PCs are not showing up on WSUS in Windows Server 2012
Replies
0
Views
201
HKNinja
HKNinja
motita2008
  • Locked
  • Question
Windows Server ESSENTIALS 2012 R2 does not open some websites in client
Replies
1
Views
171
njenkins93
njenkins93

Part and Inventory Search

Sponsor

Back
Top