Sign in with
Sign up | Sign in
Your question

Application lockdown

Last response: in Windows 2000/NT
Share
April 7, 2004 7:31:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have tried verious methods posted here. I have hidden the c drive, used disable specific programs. Used GPO and such... i have been very successful on the local level. the problem i'm having is my users have figured out if they create a a shortcut on thier network drive, they can point to a file on thier local drive.

ie.. some have created a shortcut "MS-DOS" with it pointing to c:\windows\system32\command.com even though their is a GPO set so they can not run command.com, it still works... they have found a work-around.

Can anyone help?

More about : application lockdown

Anonymous
April 7, 2004 10:52:29 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

ehance the logon script to delete all the *.lnk files from the stored
network area!

It's a freaken cat and mouse game... isn't it! :) 

Stew

"roger" <anonymous@discussions.microsoft.com> wrote in message
news:56D05FBA-9020-4D19-8B5E-C19A159C4C12@microsoft.com...
> I have tried verious methods posted here. I have hidden the c drive, used
disable specific programs. Used GPO and such... i have been very successful
on the local level. the problem i'm having is my users have figured out if
they create a a shortcut on thier network drive, they can point to a file on
thier local drive.
>
> ie.. some have created a shortcut "MS-DOS" with it pointing to
c:\windows\system32\command.com even though their is a GPO set so they can
not run command.com, it still works... they have found a work-around.
>
> Can anyone help?
April 8, 2004 4:24:39 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"roger" <anonymous@discussions.microsoft.com> wrote in message
news:56D05FBA-9020-4D19-8B5E-C19A159C4C12@microsoft.com...
> I have tried verious methods posted here. I have hidden the c drive, used
disable specific programs. Used GPO and such... i have been very successful
on the local level. the problem i'm having is my users have figured out if
they create a a shortcut on thier network drive, they can point to a file on
thier local drive.
>
> ie.. some have created a shortcut "MS-DOS" with it pointing to
c:\windows\system32\command.com even though their is a GPO set so they can
not run command.com, it still works... they have found a work-around.
>
> Can anyone help?

Have you denied it specifically by that name, if so do cmd.exe. Set
properties to deny cmd.exe / command.exe on the files itself to certain user
would b my suggestion
Related resources
Anonymous
April 8, 2004 4:24:40 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

the login script is a good idea but they can just create the shortcut again.
and yes i have done the whole combination cmd.exe command.com command.exe
and others.


"Barry" <no@thanksspamiityspam> wrote in message
news:e0rMWwVHEHA.2580@TK2MSFTNGP12.phx.gbl...
>
> "roger" <anonymous@discussions.microsoft.com> wrote in message
> news:56D05FBA-9020-4D19-8B5E-C19A159C4C12@microsoft.com...
> > I have tried verious methods posted here. I have hidden the c drive,
used
> disable specific programs. Used GPO and such... i have been very
successful
> on the local level. the problem i'm having is my users have figured out if
> they create a a shortcut on thier network drive, they can point to a file
on
> thier local drive.
> >
> > ie.. some have created a shortcut "MS-DOS" with it pointing to
> c:\windows\system32\command.com even though their is a GPO set so they can
> not run command.com, it still works... they have found a work-around.
> >
> > Can anyone help?
>
> Have you denied it specifically by that name, if so do cmd.exe. Set
> properties to deny cmd.exe / command.exe on the files itself to certain
user
> would b my suggestion
>
>
April 8, 2004 6:06:03 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

i meant set the properties on the files themselves so that they do not have
read permissions.


"Francisco Lopez" <fjlopez@hotmail.com> wrote in message
news:o 1IxCFWHEHA.3444@TK2MSFTNGP11.phx.gbl...
> the login script is a good idea but they can just create the shortcut
again.
> and yes i have done the whole combination cmd.exe command.com command.exe
> and others.
>
>
> "Barry" <no@thanksspamiityspam> wrote in message
> news:e0rMWwVHEHA.2580@TK2MSFTNGP12.phx.gbl...
> >
> > "roger" <anonymous@discussions.microsoft.com> wrote in message
> > news:56D05FBA-9020-4D19-8B5E-C19A159C4C12@microsoft.com...
> > > I have tried verious methods posted here. I have hidden the c drive,
> used
> > disable specific programs. Used GPO and such... i have been very
> successful
> > on the local level. the problem i'm having is my users have figured out
if
> > they create a a shortcut on thier network drive, they can point to a
file
> on
> > thier local drive.
> > >
> > > ie.. some have created a shortcut "MS-DOS" with it pointing to
> > c:\windows\system32\command.com even though their is a GPO set so they
can
> > not run command.com, it still works... they have found a work-around.
> > >
> > > Can anyone help?
> >
> > Have you denied it specifically by that name, if so do cmd.exe. Set
> > properties to deny cmd.exe / command.exe on the files itself to certain
> user
> > would b my suggestion
> >
> >
>
>
!