My first post on these forums, hoping it begins a lot of back scratching! I'm an IT Manager at a small private school (K-12), just looking for some assistance with software restrictions policies.
I'm currently rebuilding the policy I inherited as it is essentially an unrestricted policy with blacklisted paths (big/ugly) rather than a disallow policy with whitlistings (of which there would be fewer entries). I'm just a little unsure about what allowances to make for system paths etc., and I'll give a coupld examples;
I was wondering if anyone has dealt with these two scenarios and/or would be willing to share their SR policies (with particular attention to critical system paths).
- When a student is in Outlook Web Access and tries to open an attachment SR kicks in with a error about loading Word (which normally loads fine) when trying to run from Temp Internet Files folder (which I'd rather actually not whitelist for various reasons).
- Some students have worked out that they can run self-contained games (ie Minecraft) from a zipped folder without SR detecting it loading from the %temp% directory.
We found the easiest way to sort the Zip issue was partially enabling UAC. Auto denying any elevation requests for users, but allowing admins to elevate it in the normal right click method etc.
Originally Posted by Schikitar
The only issue we've had doing this, is that sims updates often won't run on a normal user account under this. So you'd either need to disable the UAC policy when updating, or do mimic-style login once after the updates, just so they flow through as admin.
In terms of #1, I know at least in outlook you can change where attachments are loaded from by editting registry. Not sure if it'll apply to OWA aswell, but might be worth a shot. (It "may" change the entire temp folder location, so might want to double check this first actually)
But it's something like: HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Explorer\User Shell Folders