Solution to prevent users from downloading files to PC and installing applications.

apatia77 · 28 May 2009 at 11:50

Hi,

My boss has asked me to find a solution to prevent users from downloading files to PC and installing applications.
Now I am not an expert and have no idea how to do it. I have managed to find that you can disable File Downloads in Internet Options/Security/Custom Level. And I suppose if we changed all User accounts from local Administrator to Restricted Users then they wouldn’t be able to change anything back. (But I need to test if Restricted account will be good enough to run all applications they need to run).

Now the problem is that even if the user has Restricted User account they can still install some application such as Firefox and some already have it on their machines which we don’t want to remove and I can’t find a way of stopping File Downloads in Firefox.
We have Win Server 2008 and about 30 client PCs, we also don’t use Group Policies and I have no experience with that nor does my manager, everything is done manually on each client machine when any changes to software etc. are required.
Thanks for all your help.

miniyazz · 28 May 2009 at 12:20

Microsoft SteadyState, not sure if it works on Server 2008 though. Worth a look - users can download files and install applications, but it reverts to the previous state on reboot. Might be what your boss is after; it means they can still do everything they used to be able to do, but no changes are made to the system come reboot.

apatia77 · 28 May 2009 at 12:27

We want to prevent users from downloading and installing things. SteadyState does not do it but thanks for your suggestion

eXor · 28 May 2009 at 12:43

http://www.windowsecurity.com/articles/Default-Deny-All-Applications-Part1.html

With SRP you can even limit local administrators from executing other code other than what you want them to

Don't know how accurate or relevant that article is, but it's worth a look.

Using a content filtering proxy is also an option.

theheyes · 28 May 2009 at 13:14

Are the client machines XP or Vista?

They really shouldn't be running as local administrator. First thing to do would be to create yourself a limited user account and check that all your business applications work. If any don't, look for the latest version. If you have some bespoke software you might have a bit of a headache and will have to cross that bridge when you come to it.

apatia77 · 28 May 2009 at 14:08

All client computers run on XP, we do have some bespoke applications but they seem to work just fine under Restricted User accounts. I will probably change the user account from Administrator's to Restricted on few machines to test if everything works fine.

I don't want to make it too complicated so I will present my boss solution that I already have.

paradigm · 28 May 2009 at 14:26

Group policy lockdown of workstations and user accounts is the way forward.

Probably a good idea to disable external storage devices whilst you are at it, to prevent people running "portable" versions of apps.

Mr Plow · 28 May 2009 at 23:35

You could also think about installing something like Centennial to keep track of what's installed on PCs and suspend/fire staff who keep breaking the company policy (I assume you have something written somewhere!).

They do a 30 day free trial of the Discovery package on their website.

http://www.centennial-software.com/