Software Restriction in Win 2000

[francis_lou]

Would like to restrict users to install/uninstall software from Win 2000 Pro/ XP.

How to enable it? I try to set all users to group "User", but it cause other problem that they can't run installed software smoothly(not authorized to read/write some folder/system folder). They even can't map a network printer to local printer port. (we still have a dos application to run) Any idea?

[rion]

If you have a domain you can control this with Group Policy Objects.

[Shotgun]

Yes. BUT from a Windows Server 2003 domain. It has a Software Policies section under Computer Configuration -> Administrative Templates.

Windows 2000 servers does not have that section in GPO. I don't know if an admin template is available to let W2K domains implement it. If anyone has the info on where to get that, please post the url.

[FAT64]

No, I can't find that either.

[Sn00f]

you can use registry entries like

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]

;Enlève la commande Panneau de configuration et imprimantes dans Démarrer\Paramètres.

;"NoSetFolders"=dword:00000001

;Empêche Windows d'exécuter les programmes que vous spécifiez dans cette stratégie.

"DisallowRun"=dword:00000001

;Empêche Windows d'exécuter les programmes que vous spécifiez dans la stratégie DisallowRun.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun]

"1"="telnet.exe"

"2"="Unwise.exe"

"3"="unins000.exe"

"4"="dialer.exe"

"5"="hypertrm.exe"

"6"="Uninstall.exe"

"7"="UninstFr.exe"

"8"="QuickTimeUpdater.exe"

"9"="vncviewer.exe"

"10"="uninst-javaws.exe"

"11"="spuninst.bat"

"12"="spuninst.exe"

"13"="ciadv.msc"

"14"="cleanmgr.exe"

"15"="cliconfg.exe"

"16"="clipbrd.exe"

"17"="ddeshare.exe"

"18"="dcomcnfg.exe"

"19"="drwtsn32.exe"

"20"="fsmgmt.msc"

"21"="ieshwiz.exe"

;utilitaire carte graphique

"22"="igfxcfg.exe"

"23"="igfxcpl.cpl"

;configuration internet (IE)

"24"="inetcpl.cpl"

;utilitaire de mise à jour console java

"25"="jpicpl32.cpl"

;outil de synchronisation de fichier offline

"26"="mobsync.exe"

;utilitaire de restautation de sauvegardes (comme ghost)

"27"="ntbackup.exe"

;utilitaire d'administration des sources ODBC

"28"="odbcad32.exe"

;Analyseur de performances

"29"="perfmon.exe"

"30"="perfmon.msc"

;annuaire téléphonique

"31"="rasphone.exe"

;éditeur système

"32"="sysedit.exe"

;utilitaire de cryptage

"33"="syskey.exe"

;permet de modifier les thèmes de windows

"34"="themes.exe"

;Administration du serveur telnet

"35"="tlntadmn.exe"

;Gestionnaire de vérification des pilotes

"36"="verifier.exe"

;Assistant d'ajout/suppression de matériel

"37"="hdwwiz.cpl"

;Modification des paramètres de la souris

"38"="main.cpl"

;Paramétrage du contrôle de volume

"39"="mmsys.cpl"

;Utilitaire d'administration des sources ODBC

"40"="odbccp32.cpl"

;Administration des paramètres d'energie

"41"="powercfg.cpl"

;Paramétrage des options de téléphonie

"42"="telephon.cpl"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\uninstall]

;Désactiver l'application Ajouter/Supprimer des programmes du menu démarrer

"NoAddRemovePrograms"=dword:00000001

;Cache la page 'Modification/Suppression des programmes'

"NoRemovePage"=dword:00000001

;Masque la page Ajouter des nouveaux programmes

"NoAddPage"=dword:00000001

;Masque la page Ajouter/supprimer des composants Windows

"NoWindowsSetupPage"=dword:00000001

;Masque l'option Ajouter un programme à partir d'un CDROM ou d'une disquette

"NoAddFromCDorFloppy"=dword:00000001

;Masque l'option Ajouter un programme à partir de Microsoft

"NoAddFromInternet"=dword:00000001

;Masque l'option Ajouter un programme à partir de votre réseau

"NoAddFromNetwork"=dword:00000001

;Supprime la section 'Ajouter des services' de la page Ajouter/supprimer des composants Windows

"NoServices"=dword:00000001

But this only disallow some visual entries, disallow some programs to run. If the user changes it's name and if he has some power rights, he will ba able to install software.

[Shotgun]

But this only disallow some visual entries, disallow some programs to run. If the user changes it's name and if he has some power rights, he will ba able to install software.

Exactly. That's why Software policies in 2003 AD is so effective. It not only identifies a program by its INTERNAL name(the one the file got compiled), but also by a checksum of the program content.

That way, no matter what name the file has in the disk, it won't get executed.