Software Restriction Policies - Question

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

I like to build a software restriction policy that prevents all users from
running software like ie (Kazaa; Soulseek, and other applications) but
because this applications can be installed in any drive in any folder I can
build a proper path, because if the users install the app in a folder
different than the one I enter the application will run anyway. Any comments
about this will be appreciate.

Best Regards,

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Emiliano G. Estevez" <eestevez@sistran.com.ar> said

> Hi,
>
> I like to build a software restriction policy that prevents all users
> from running software like ie (Kazaa; Soulseek, and other applications)
> but because this applications can be installed in any drive in any
> folder I can build a proper path, because if the users install the app
> in a folder different than the one I enter the application will run
> anyway. Any comments about this will be appreciate.
>

Software restrictions by themselved (in Windows 2000) will not achieve this
but when combined with proper NTFS permissions it can be done.

1. Install all 'approved' applications into the 'program files' directory,
then set permissions on this directory so that users cannot create
directories or files here (or in subdirectories)
2. Create your software restriction policies as follows:
Default policy - Deny
Windows directory and subdirectories - Unrestricted
Program files directory - Unrestricted
*.lnk *.pif and *.url - Unrestricted

This means that even if users copy an executable to another location, it
won't run. Shortcuts will work fine though.

You will probably need to fine tune the software restriction policy but you
should get the general idea.

--
Andy.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Also if the users are not local admins on the computers, they will not be
able to install said software.

I haven't looked at the software restriction policies yet, but heard it was
possible to just list programs of an unacceptable name to run. For
instance, could you just enter "setup.exe" as an 'unacceptable name' ?

Also... I was under the impression that software restriction policies could
only be applied to XP machines (2000 will ignore)? I may have just misread,
and it's supposed to read "(in Windows 2000 Server)"... I read it as Pro.

HTH

Ken


"Andrew Mitchell" <amitchell@removecasey.vic.gov.au> wrote in message
news:Xns957B9755E02Bcasey01@207.46.248.16...
> "Emiliano G. Estevez" <eestevez@sistran.com.ar> said
>
> > Hi,
> >
> > I like to build a software restriction policy that prevents all users
> > from running software like ie (Kazaa; Soulseek, and other applications)
> > but because this applications can be installed in any drive in any
> > folder I can build a proper path, because if the users install the app
> > in a folder different than the one I enter the application will run
> > anyway. Any comments about this will be appreciate.
> >
>
> Software restrictions by themselved (in Windows 2000) will not achieve
this
> but when combined with proper NTFS permissions it can be done.
>
> 1. Install all 'approved' applications into the 'program files' directory,
> then set permissions on this directory so that users cannot create
> directories or files here (or in subdirectories)
> 2. Create your software restriction policies as follows:
> Default policy - Deny
> Windows directory and subdirectories - Unrestricted
> Program files directory - Unrestricted
> *.lnk *.pif and *.url - Unrestricted
>
> This means that even if users copy an executable to another location, it
> won't run. Shortcuts will work fine though.
>
> You will probably need to fine tune the software restriction policy but
you
> should get the general idea.
>
> --
> Andy.

 

[Guest]

Archived from groups: microsoft.public.win2000.group_policy (More info?)

"Ken B" <none@microsoft.com> said

> Also if the users are not local admins on the computers, they will not
> be able to install said software.
>
> I haven't looked at the software restriction policies yet, but heard it
> was possible to just list programs of an unacceptable name to run. For
> instance, could you just enter "setup.exe" as an 'unacceptable name' ?
>

That's correct but on Windows 2000 clients the user can just rename the file
and it will run.
Windows XP clients allow you to specify a hash value, so renaming the file
won't get around the restriction as the hash doesn't change.

> Also... I was under the impression that software restriction policies
> could only be applied to XP machines (2000 will ignore)?

AFAIK Windows 2000 will only ignore the hash restrictions.

--
Andy.