Prevent Access

**Hamins** · April 25, 2006

Hi,

We have a network comprising of 1 multi-purpose Windows 2003 server with 25 Windows XP client PCs.

What is the best way to prevent users from Installing any type of software/program/application on their PCs ? I guess it would have to be through Group Policies (?)

How do I prevent users from downloading any type of oftware/program/application from the internet.

Lastly, how do I prevent users from saving any file on any drive on their local PC ?

I need to know this as soon as possible.... thanks

**fizban2** · April 25, 2006

don't give your users admin rights, that will stop the installation issue, saving things to there local computer would require you to do something like setup roaming profiles or redirect there docs and folders to a server location and then limit there access to the windows drive

**Hamins** · April 25, 2006

don't give your users admin rights, that will stop the installation issue, saving things to there local computer would require you to do something like setup roaming profiles or redirect there docs and folders to a server location and then limit there access to the windows drive

Hi Fizban2,

Thanks for the quick response...

Ofcourse, none of the end-user have admin rights. However, they're still able to download certain programs from the net and install them. How does one prevent it completely.

Yes, we've already implemented roaming profiles. I would like to prevent users from saving any data onto their local drives. What would the exact procedure be ?

**nmX.Memnoch** · April 25, 2006

I would like to prevent users from saving any data onto their local drives.

That would pretty much render the PC unusable since most applications require temporary data be written to the drive. The location this temporary data is written depends on the application...

**fizban2** · April 25, 2006

if you really want to go to an extreme like that you should look into WYSE terminals... setting something like that up on a computer really destroys the potential of the machine, in GPO you can restrict the installation on any *.exe *.msi etc, that would take care of the install issue but again render everyone unable to install anything.

**Hamins** · April 25, 2006

Thanks for the response(s), Memnoch, Fizban2.

Let me explain the current scenario... Most of the work is on Ms-Office. User need to access/modify/save document that are on a network drive on the server. However, often the users access the documents from the network drive, but save the documents on their local PC, mostly on C:\. I want to make sure that the user cannot save any data on their local PCs. However, I want the system and applications to be able to save files such as temp files, etc.

Fizban2, which GPO would restrict installation of .exe, msi etc ?

**Hamins** · April 26, 2006

anyone ?

**fizban2** · April 26, 2006

here are some settings to try

domain security policy is where these reside, you should be able to setup something here, not sure it will do all you want though

**valter** · April 27, 2006

Then a solution for you is eiather a thin client or regular PC with GPO restrictions and Temrinal Services ...

Edited April 27, 2006 by klasika

**Hamins** · April 28, 2006

Hi everyone ,

Everyone keeps saying that it's possible via GPO restriction. However, no one says which policy(s) in particular.

**jondercik** · April 28, 2006

More trouble than its worth IMHO. If you tell the users to save their files on the server and that you are only responsible for making sure they are available there.

As far as installing programs, tighten up the NTFS security on all the directories on the standard build for your company. And as others have said use software restriction policies to set up what programs can run. This will be a PITA though.

Jim

**chilifrei64** · April 29, 2006

The group policies you are looking for are

User Configuration -> Administrative Templates -> Windows Components->Windows Explorer

and the values you want are:

Hide these specified drives in My Computer

Prevent access to drives from my computer

Request credentials for network installations

Then give them roaming profiles and redirect their user folders to the network

I also agree with what fizban stated above, I have not thought about doing things that way but after seeing that I may start to...

One thing though.. ... you say that they are not admins yet you say they can install stuff.. I have ran a few networks where I have just made all users part of the users group with no special permissions at all and tried to install programs with no luck.. If your users arent admins.. they should not be allowed to run any type of installation..

**Hamins** · April 29, 2006

Hi Chilifrie,

Thanks for the info..... I'll try them out...

Yes, the user can install software such as Rapidocs, even if they don't have any admin rights.

**-I-** · April 29, 2006

Admin / Power user = full or partion admin

you nead to make them user or guest user...

The group policies you are looking for are
User Configuration -> Administrative Templates -> Windows Components->Windows Explorer
and the values you want are:
Hide these specified drives in My Computer
Prevent access to drives from my computer
Request credentials for network installations

download restrictions are found in IE-policies (but i have no server running to look voor exact key).

Sign In

Prevent Access

Recommended Posts

Hamins

fizban2

Hamins

nmX.Memnoch

fizban2

Hamins

Hamins

fizban2

valter

Hamins

jondercik

chilifrei64

Hamins

-I-

Please sign in to comment

Recently Browsing 0 members

Activity

Browse