Disabling Downloads 1

[gcw1]

Hello Everyone,

We have set up a computer for public use where I work and disabled downloads. It was brought to my attention that someone installed Yahoo Messenger. I checked out the page for downloading the installation files and discovered that it downloads using activex and bypasses the normal "Disable Download" feature in Security settings. I guess I can disable activex, but won't that limit browsing some webpages? Do you think it would matter if I did that? I can block the page with the activex, but then that is only Yahoo specific. Anyone have any ideas on this? OS is WinXp Pro.

Thanks

Glenn

 

[bcastner]

You cannot disable everything, unless you choose to:

. run in Kiosk mode;
. or use a third-party application to revert the installation back to a base install on every reboot.

http://www.deepfreezeusa.com/

is one possibility.

Much cheaper anymore, purchase a copy of Norton Utilities for XP and install GoBack.

 

[linney]

You can disable ActiveX and just turn it on when you visit Windows Update Site. It shouldn't interfere with normal browsing of Web Pages.

I have a Firewall set up to block ActiveX and the only site I visit that objects is Windows Update, so I just make the necessary adjustments.

 

[bcastner]

linney,

But I doubt you run several IM packages. These things are true weasals, and blocking ActiveX is usually not sufficient to stop them.

 

[607255]

hi friends..
from where I can implement scurity policies in windows xp pro. fro my client computers.

 

[TechyMcSe2k]

Group Policy--Run gpedit.msc

 

[temporello]

I've found this on the net:

"Thanx to Jim Kenzing for this Tip.

To Prevent users from installing these types of programs navigate to:

Hkey Local Machine/Software/Microsoft/Code Store Database/ApplicationNamespaces

Choose the security/permissions option. Double click on the everyone listing (they should have special access to this key) and the special access permissions will come up. Uncheck the box that says create subkey. And no more Yahoo chat or MSN messenger.

Things like bonzai buddy, comet cursor, etc that install whether you like it or not you can take a different approach. Create a folder under program files with the name that they create and use security permissions to change the access to Everyone none. We create a no access Yahoo, Comet and Bonzai Buddy under each of our program files directories on our servers to prevent these."

 

[JimPletcher]

Thanks temporello!

You just solved a problem that I was about to have.

 

[bcastner]

Setting registry permissions on this key:

Hkey Local Machine/Software/Microsoft/Code Store Database/ApplicationNamespaces

is a genuinely bad idea. Unless you never have a need for Java applets or Visual Basic (to name two that use this registry space, there are others).

This notion: "Things like bonzai buddy, comet cursor, etc that install whether you like it or not you can take a different approach. Create a folder under program files with the name that they create and use security permissions to change the access to Everyone none. We create a no access Yahoo, Comet and Bonzai Buddy under each of our program files directories on our servers to prevent these." is a good one, if the darn malware would stay still. Unfortunately only a handful of malware applications create an entry under Program Files; and an even smaller handfull keep the same folder name over time.

 

[gcw1]

Thanks for all the replies. So what I'm gathering here is there is really no solid way of blocking all downloads without causing repercussions to other functionalities. That GoBack util is starting to look like the only way to go. This computer is virtually unsupervised and the login script that was created does an excellent job of securing it, but I guess there will always be something that slips by. Thanks again

Glenn

 

[gcw1]

I was thinking... what if I leave the downloading configuration how it is right now, and try to prevent installations. I know I can disable installations that use a windows installation wizard, but is there also a way to disable apps that use a different wizard? Why is this so damn difficult? hehe. Thanks.

Glenn