Express Posted June 8, 2006 Share Posted June 8, 2006 Hi All,Ok here's the scenerio I work at a firm which, as anywhere you have your clowns that like to wonder on websites which they shouldnt be on and downloading games and such... yeah they can get terminated thats another story. Currently these users are setup with admin rights due to the trading applications they need to use. Now I have been successful on locking down some apps so they dont need admin rights but there others which need it. I have been able to place them in to PowerUses and it works as well. My question is what are the main differences between Administrator and PowerUsers. Can they both still do installs and such???? Any advice will be appreciated. My overall goal is to lock the user down that they may only use the computer for its purpose at work without downlaoding stuff which then as we all know it installs adwares, spywares, viruses and etc....ThanksEXPRESS Link to comment Share on other sites More sharing options...
nitroshift Posted June 8, 2006 Share Posted June 8, 2006 i would just deny their access to the internet. simple as that! i know what you are going through as i have had the same problems. i warned the users about accessing some sites and downloading stuff and those who didn't listen got banned from accessing the internet. if it helps, you can achieve that through the group policy on your server. hope this helps you. good luck! Link to comment Share on other sites More sharing options...
Express Posted June 8, 2006 Author Share Posted June 8, 2006 (edited) nitroshift, sounds like a good idea, but and here is the but. They need to access internet for some of the applications though. We have in place policies that restrict users to websites but we can't get them all. Also I need to restrict these guys from installing apps, like ESPN, Weather tools, etc...Thanks,EXPRESS Edited June 8, 2006 by Express Link to comment Share on other sites More sharing options...
Camarade_Tux Posted June 8, 2006 Share Posted June 8, 2006 If you know what are the names of the apps they shouldn't run, you can lock them. I think I have something like that at school.Or, you can have a white-list too.Or, you can use an app that will close or reduce to taskbar non-wanted apps or windows. You can do that to prevent any download from the internet : cancel will be sent to each download dialog.Last, you can forbid any ActiveX to install.As for the difference between power users and Admins, I have no idea.Except that I dound an interesting page: http://www.sysinternals.com/blog/2006/05/p...ower-users.htmlThe Power Users group is able to install software, manage power and time-zone settings, and install ActiveX controls, actions that limited Users are denied.and so on. Link to comment Share on other sites More sharing options...
Express Posted June 8, 2006 Author Share Posted June 8, 2006 Hmm sounds interesting how would I do that? Or, you can use an app that will close or reduce to taskbar non-wanted apps or windows. You can do that to prevent any download from the internet : cancel will be sent to each download dialog.Thanks,EXPRESS Link to comment Share on other sites More sharing options...
dancity Posted June 8, 2006 Share Posted June 8, 2006 Power Users are given privledges to install programs and hardware but necessarily dont havce access to everything in the system Windows, whilest Administrator has full access to everything.Your best best is to use a software that can (I believe windows security Policy management does this) only let applications on the allowed list run - so you can block out the uncessary aps. Hmm I also think black access to control panel too put some tough restrictions on it:) And keep the net up , and password some websites. Link to comment Share on other sites More sharing options...
Camarade_Tux Posted June 8, 2006 Share Posted June 8, 2006 Hmm sounds interesting how would I do that? Or, you can use an app that will close or reduce to taskbar non-wanted apps or windows. You can do that to prevent any download from the internet : cancel will be sent to each download dialog.Thanks,EXPRESSI personnaly use AHK for such purposes. Since I've forgotten something in AHK, I'll only post a full script tonight. Or, if you only want the thing to cancel downloads : you need the title of the initial download dialog. Then, it should look like WinWait, the_title_of_the_windowWinMinimize, the_title_of_the_windowAnd the thing I forgot is the "loop" part.It is also possible to wait for a few seconds before cancelling. Thus, users should be able to download small files but not bigger ones.I'll also check if it is possible to filter according to file extensions. But this one is also maybe possible use regedit.And last, on "blocking" it is possible to have a ballon-tip.In a few words, I'll try to make a "proof-of-concept" script before going to bed but right now, I have to work. Link to comment Share on other sites More sharing options...
Express Posted June 8, 2006 Author Share Posted June 8, 2006 (edited) Camarade_Tux, hey that sounds good to me. I will wait patiently that script I'd like to try that. I have never tried that autohotkey, I will look into it today.Thanks for all the info. Edited June 8, 2006 by Express Link to comment Share on other sites More sharing options...
bledd Posted June 8, 2006 Share Posted June 8, 2006 can't you do a rule that blocks ALL websites apart from ...so they can ONLY use websites that they ask you to give them access to Link to comment Share on other sites More sharing options...
janus zeal Posted June 9, 2006 Share Posted June 9, 2006 (edited) can't you do a rule that blocks ALL websites apart from ...so they can ONLY use websites that they ask you to give them access toyes. you can also use programs like Deep Freeze and Anti-executable.http://www.faronics.com Edited June 9, 2006 by janus zeal Link to comment Share on other sites More sharing options...
Camarade_Tux Posted June 9, 2006 Share Posted June 9, 2006 (edited) Express, what is the "exact" title of a download dialog in your language (the thing is case-sensitive) ?When this windows appears, checks it is active and simulate a press on the ESCAPE key. This cancels the download. It also displays a ballon-tip (can't test the ballon-tip right now cause Litestep [my shell] can not display them)The title of this window is "Téléchargement de fichier". What's yours ?It will only cancel the first 1000 downloads. I think it should be enough. Edited June 9, 2006 by Camarade_Tux Link to comment Share on other sites More sharing options...
XP_2600 Posted June 9, 2006 Share Posted June 9, 2006 Group policy can do alot, just check it. Link to comment Share on other sites More sharing options...
Zxian Posted June 9, 2006 Share Posted June 9, 2006 From what I can see, you've got two options.1) Use Group Policies like XP_2600 said to restrict the programs that are allowed to run. Just make sure that all the default startup items are included on that list, as well as mmc.exe and task manager (and the other few common ones).2) Wouldn't you be able to use "Run As..." for the programs that they need to run as an admin, and give the users a limited or other type of account? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now