General discussion

Locked

Software Restriction Policy

By witchen.philip.p ·
I am trying to find away to prevent software being installed from Internet Explorer. I have Locked down XP fully with Group Policy. Users still need right click in explorer to download pictures but are able to click on a link of a program and select open, and this will then open and install the program. Users are also local power users.
I am trying to get around this by using software restriction policys which comes with 2003 server.
My idea is based on the fact whtat when Internet Explorer is downloading a file, it stores it in its Temporary Internet files folder, so I want to prevent internet Explorer from being able to create program files such as .exe .zip in the termporary folder.
Using software restriction policy should be able to do this by using path rules.
I have tried a few combinations to acheive this but no luck.
For example
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Internet Cache Files%\*.zip

%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths%\*.zip

%HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders%\*.zip

What I need is to be able to apply the policy to

c:\documents and settings\%username%\local settings\temporary internet files\%cache%\*.zip

Any Ideas would be great in reaching this

Thanks

Phil

This conversation is currently closed to new comments.

1 total post (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by ewgny In reply to Software Restriction Poli ...

Your first priority should be to remove users from the power users group, and your problem will be solved. From a security standpoint, no users should be Power users or local administrators. I'm guessing that you made the users power users to get a legacy application to
run properly. In which case your strategy is backwards. Instead of making them power users and then spending time trying to limit the damage they can do, you should make them just plain users and spend your time getting the legacy software to run.
I'll give you an example of the dangers of making a user an admin or poweruser.
Several days ago one of my users exposed their PC to MYDOOM.M two hours after it was discovered, and two hours before my antivrus software released a pattern update for it.
Because the user was just a user, the virus could not write to the winnt folder or modify the registry. If that user was a poweruser or Admin, that PC would have become infected.

Back to Security Forum
1 total post (Page 1 of 1)  

Related Discussions

Related Forums