restrict terminal users from installing web tool bars etc.

[krischrist]

Hi,

how do i restrict windows users across terminal servers to restrict from installing web toolbars etc

I have seen the local security policy -> software restriction policies

has anyone done this before?

krischrist

http://www.KrisinDigitalAge.com

 

[ClarkPeterson]

I guess you would need to configure administrative template. You can configure browser zone policies and restrict users from downloading and installing ActiveX components. That can be done by setting corresponding policies like 'Download unsigned ActiveX controls', 'Initialize and script ActiveX controls not marked as safe', 'Run ActiveX controls and plugins' and others contained in Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\ folder in Inetres.adm. You can find additional info on security zones configuration here . You also can define 'Default risk level for file attachments' policy located in Administrative Templates\Windows Components\Attachment Manager\ folder within the system.adm. To protect settings from being changed by users, you can set 'Disable the Security page' contained within a Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\ folder in Inetres.adm administrative template. Look at Administrative Templates\Windows Components\Terminal Services\ for additional settings for teminal connection. There's also a nice document called Locking Down Windows Server 2003 Terminal Server Sessions over there. We define the list of settings that should be applied to corresponding users when they work in normal way and when they work with Citrix farm with Desktop Authority. Normally we create standardized desktops but sometimes minor changes are needed that differ based on connection type.