Hiding executables in documents!
Ok, so we can prevent students running applications (you define what is considered an application) from their user areas/home drives/pen drives etc using a combination of Fileserver resource manager (2003 R2) and software restriction policies.
But how do you guys stop students executing applications they've embedded in word (and potentially any office application or any other OLE capable app) documents?
I figured the best way to do that was to identify where it launches from, and I find it points to docs & settings\username\local settings\temporary internet files\blah blah. So I figure I can use software restriction policies to restrict C:\Documents and Settings\.
This works.... however... applications with shortcuts in docs and settings\all users\start menu or even desktop for that matter won't launch now... Alrighty, so now we'll create another software restriction policy, this time 'unrestricted' for docs and settings\all users - well, that's great... right?
I admit I haven't tested many applications, however I do know of one application called InPage Urdu (some crazy app to type backards/in urdu) when launched appears to create/launch something in the users temp folder.
So, what I'm interested in is have any of you guys got any suggestions/tips for how you stop students accessing executables?