Preventing users on win2k network from installing programs

[gbl]

I've been reviewing a number of posts and done some searches, but I have not really found a definitive answer whether or not a network admin can prevent users, through Group policies or otherwise, from installing unauthorized programs on their workstations (mostly windows 2000 professional or windows xp professional in our office, with a windows 2000 server).
It appears that there is better control on windows xp computers due to additional controls in group policy. Can these be enforced over a network with a windows 2000 server, or will this only be possible with windows 2003 server?
I would like to either be able to list the permitted programs and make all others impossible to install or find some other way.
One problem is that there are simply too many legacy programs so that the high security template can be used to establish security.
Also I have heard that programs like hotbar and bonzi buddy can work around these kinds of controls.
Can anyone specifically tell me what windows 2000 group policy settings exist if any to prevent someone from installing a program on their workstation?
I am sure we could configure our firewall to ban access to certain websites but this would be a peacemeal solution.
Thanks for all suggestions!

 

[ricpinto]

Mmmm.. I'm interested in this thread, because what I know is that the default for domain users in the workstation when they login is only users. Without joining them to any of the local group (Local admin, power users, back up operators etc. etc.) they can't install a program or change any settings.

 

[Tom70]

Well, I am not sure if this is what you were looking for. When I run a mmc from the command prompt and use the add/remove snap-in to add LOCAL COMPUTER POLICY I found something. My Active Directory Services book from MS says that there are 450 of these settings available so I started searching. I found under Local Computer Policy-Computer Configuration-Administrative Templates-Windows Components-Windows Installer the following:

Prohibit user installs

This setting allows you to configure user installs. To configure this setting, set it to enabled and use the drop-down list to select the behavior you want.

If this setting is not configured, or if the setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product.

If this setting is enabled and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.

If this setting is enabled and "Prohibit User Installs" is selected, the installer prevents applications from being installed per user, and it ignores previously installed per-user applications. An attempt to perform a per-user installation causes the installer to display an error message and stop the installation. This setting is useful in environments where the administrator only wants per-computer applications installed, such as on a kiosk or a Windows Terminal Server.

Also, under Local computer policy-User Configuration-Administration templates-Windows Components-Windows Installer I found:

Prevent removable media source for any install

Prevents users from installing programs from removable media.

If a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears, stating that the feature cannot be found.

This setting applies even when the installation is running in the user's security context.

If you disable this setting or do not configure it, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.

Also, see the "Enable user to use media source while elevated setting" in Computer Configuration\Administrative Templates\Windows Components\Windows Installer.

Also, see the "Hide the 'Add a program from CD-ROM or floppy disk' option" setting in User Configuration\Administrative Templates\Control Panel\Add/Remove Programs.

I don't think this will block all installs but it may depending on who and what kind are trying.

Hope it helps.

 

[VLADY218]

I would create local group policies, Search for GPEDIT then set up your policy. Disable add/remove programs and disable registry editing tools. You may also want to remove the run from the start menu.

 

[hewissa]

And deny access to the command prompt.

Hewissa

MCSE, CCNA, CIW

 

[gbl]

Thanks for the replies. Tom70, just to clarify: Isnt't the "Prohibit user installs" policy available only in windows server 2003 and windows xp only? I'm trying to impose restrictions for the 2000 workstations.
Any other thoughts?

 

[karenannette]

I'm using winselect that comes with the windows package. You can pretty much pick and choose per user what to lock them out of. And I've got one machine that my users tend to "destroy" on a fairly frequent basis, every office has one of those...I think they're trying to make their computer "run better". I don't know how they're doing it, it always functions for me. I am also a firm believer in hiding a drive partition and "ghosting" the C drive so that if and when they do trash it, I can restore it in about a half hour.

Good luck.

 

[Tom70]

No, they are not. This is more or less quoted from my Windows 2000 Active Directory Services book from Microsoft. I Would add though, that I don't know if this would guarantee that no one would be able to install. I have yet to put it to use myself.

I would be happy to help further if I can.

Good luck.

 

[tylerdurden68]

But without having to go from machine to machine, how can you do it server side for all regular users?