Sign in with
Sign up | Sign in
Your question

Why can USERS install programs?

Tags:
Last response: in Windows 2000/NT
Share
July 29, 2004 11:07:01 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have many people setup as USERS in Win2K pro. Why are they able to install programs?

Specialically, everytime I go to a computer, they have installed chat programs such as ICQ & AOL IM and some other international ones as well. And they are installed underneath the Program Files directory as well, not even under their My Documents folder, which I understand can be done as well.

I would love to set these people up as guests, but proxy settings don't hold for a guest. Does anyone have an explanation or suggestion how to COMPLETELY lock outr a person from installing software?

More about : users install programs

Anonymous
July 31, 2004 12:13:01 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I would verify that the users in question are only regular users and not members of
the power users or local administrators group. Also examine security on the program
files folder which does not let regular users write access in a default installation.
Keep in mind that if a user can boot from a floppy or cdrom that there are widely
available free tools to reset the built in administrators account password to null. I
would also check ownership of those folders to see if it shows user or
administrators. Create a new regular user account, logon as that user and try
yourself to see if you can install the mentioned programs to the program files folder
that does not have write access for regular users.

Windows XP Pro has the very powerful Software Restriction Policies to enforce what a
user can run on their computer. W2K does not have that but you may have some luck
populating the disallowed Windows application list in Group Policy under user
configuration/administrative templates/system and adding at least install.exe and
setup.exe. You also want to make sure that the Group Policy setting for users for
"always install with elevated privileges" is disable which will allow regular users
to install .msi applications. That setting is under both computer and user
configuration/administrative templates/Windows components/Windows installer. Also
check that the users/everyone groups have only read/list/execute permissions to the
root/drive folder and also look in advanced permissions. A more extreme measure that
I have tested with pretty good results but have not tried for every possible case is
to go the users folder under documents and settings and go to security page/advanced.
Add the user and then in apply onto select files only and give the user deny
permissions for traverse folder/execute file. If you want to try it, do it on just a
few users computers for a while to make sure user is not denied needed access to an
application. Good luck. --- Steve


"mark@njycamps.NOSPAM.org" <mark@njycamps.NOSPAM.org@discussions.microsoft.com> wrote
in message news:C951A14C-775B-4506-A358-145262DB76A6@microsoft.com...
> I have many people setup as USERS in Win2K pro. Why are they able to install
programs?
>
> Specialically, everytime I go to a computer, they have installed chat programs such
as ICQ & AOL IM and some other international ones as well. And they are installed
underneath the Program Files directory as well, not even under their My Documents
folder, which I understand can be done as well.
>
> I would love to set these people up as guests, but proxy settings don't hold for a
guest. Does anyone have an explanation or suggestion how to COMPLETELY lock outr a
person from installing software?
!