SamR

When my facility was still on a Windows peer-to-peer network, I was playing around with my office PC to see whether I could block certain programs from launching. No surprise, I was able to change local policy to stop Internet Explorer. With the test completed and satisfied, I removed the restriction. But, IE still won't launch . . . sort of. If I click on the IE icon under All Programs, I get an error message that says, "This operation has been canceled due to restrictions in effect on this computer. Please contact your system administrator." If I receive an email through MS Outlook that contains a link and I click it, I get the same message. Same thing if I type "iexplore" into the Run menu or drill down into the IE8 folder and launch iexplore.exe from there. However, if I click on the IE icon on my Desktop or if I click on a certain IIS program icon on my Desktop, IE launches with no error. Furthermore, once IE is launched this way, the scenarios above no longer generate the error message. If I look in Local Policies, there doesn't appear to be any restrictions in place. After I started having this problem, a friend of mine got into the Registry and "enabled" something (I think). I have no idea what or where, though. Once he did, I no longer got the error message. This was only a temporary fix, though. Probably until I rebooted the machine the next time. Any ideas where I can enable IE in the registry, or maybe even a more permanent solution?

Thanks, cluberti. I agree. I think the Regulators are good at designing policy but maybe not so good at understanding how a network functions. I suspected that locking down .exe files was the route I would have to take, but I expected it would involve a lot of trial and error to get it right. I've run into problems before by restricting what you can launch, such as you begin seeing unexpected side effects, like right-click becomes disabled or similar.

In my facility, certain users are allowed access to only one application when they log into a PC. Our regulations state that when the user logs in the app must launch immediately, and when the app is closed, Windows must automatically log out the user. I know that I could simply put the app in the Start Up menu for it to launch automatically, but is there any way Active Directory can force a user to log out if they close the app? I understand what our regulators are trying to accomplish, which is to prevent casual users from accessing resources for which they lack authorization. However, what is to prevent the user from simply minimizing the app or pressing Alt+F4?

That's a great idea, cluberti. I never thought about using min and max password ages in tandem to create the same effect. I think that will solve my problem. Thank you!

I know Active Directory can be configured to remember a history of passwords per user, the last 10 passwords, for example. Is there a way to prevent passwords from being recycled during a certain time frame? Can I prevent a user from changing his/her password to anything he/she has used within the last year, regardless of the number of changes?