Can anyone tell me of a method i can use that'll stop the users running any *.exe, *.bat, *.cmd, etc; files that run from specific places?
For example, i'd like to stop them running things off their home directory, flash drives, physical optical drives (not virtual ones though).
Thanks in advance all. :).
Interesting app that looks ideal.
Originally Posted by OutToLunch
Questions i couldnt gather from the manual though:
1 - How can this be rolled out to every computer on the network without inputting the names of every computer?
2 - Is the app itself invisible to the user? As the manual mentions an applet that can be viewed in CP. Asuming CP access is disabled via GPO, i asume that the app doesnt appear anywhere else?
Ive had a play, program seems alright, but any changes i make i need to wack everything out manually.
Plus, every computer has different drive setups, some labs have card readers for example, and all have virtual CD roms, so banning 'h:' for example will mess up some programs.
Is there a way/another app, to do this via GP? So that its only applied to the kids/staff and not admins too?
We do have NSS, which can do 90% of what we want to do, but it cant stop users running programs off their home drive unfortunatelly.
And while im happy keeping it running 24/7, its not the most stable of programs for me unfortunatelly.
You can do this with 2003 R2 servers and GP... at least.... I did ;)
Can't remember off hand what or where it is, but at least as far as the 2003 R2 servers go if they are the file server, its in File Restrictions or something similar in the Administrative Tools.
Don't happen to have 2003 R2 installed with it here so cant be specific but its a option to investigate possibly.
Certainly good for stopping .exe's and setups being run from a users home drive :)
There a lot of threads on software restriction policies/ SRP's.
Try this one: http://www.edugeek.net/forums/showthread.php?t=11315
I found trustnoexe to be buggy - caused lots of errors on my PCs. Although looks excellent, couldn't recommend it.
If you search the forums for Software Restriction policies you will find a lot of advice on how to do that sort of thing via GP. You can set it up to deny by default or allow, and then set up exceptions. We have it set to deny be default - after a couple of weeks we'd found all the wacky locations the legitimate software had installed to.
Originally Posted by boomam
The policy is set per user, so it gets around the problem of admins being blocked, but also presents you with a potential problem if your drive letters are not consistent throughout. What you can do is push out USBDLM (again via a GPO IIRC) which will let you set specific letters for USB drives to use.
EDIT: It's always dangerous posting at 4pm - everyone else posts the same thing directly before you, making you look a bit simple.
Just looking at USBDLM now.
Is it possible to use a software restriction policy to block the drive letters that i set for usage for USB drives by default? Or is it more of a global thing?