Windows Server 2000/2003 Thread, Software Restriction Policies (SRS) in Technical; I am having a problem with Software Restriction Policies not applying. I want to stop .exe, .zip running from students ...
I am having a problem with Software Restriction Policies not applying. I want to stop .exe, .zip running from students mapped home folder. (H
I have tried adding enviroment varriables and drive letter into "Additonal Rules" with no success. I have enabled SRS Logging on a client and whilst logged in as a student and I run an exe or zip from the home folder it just runs with no restriction and is not logged either!?
Anyone have any ideas. My settings are below...
User Configuration > Windows Settings > Security Settings > Software Restriction Policies > Additional Rules
We have something similar set for our USB/external disks mapped to V:,W: or X: drive via USBDLM and it seems to work well. Could it be something with the homepath that it doesn't like.
Something that doesn't answer your query but could be another approach to dealing with this is applying file screening management on your file server where the homefolders are located. This is a file services role on Server 2008 (and I think 2003). You can use it to block certain file types e.g. EXE, VBS from being saved in their folder.
The reason you were unable to block executables from running within a zip file, is because Windows extracts the executable to the user's temporary folder then executes them there. A path rule to disallow %Userprofiles%\Local Settings\temp should do it.
Set 7Zip in file associations - still opens 7Zip FM. I don't understand why!? .zip is definitely defined in 'designated file types'
Perhaps it's not being blocked because a zip file is opened rather than executed?
meastaugh1 - Hi thanks yes I saw this posted elsewhere and watched it happening from my client. I was a bit concerned it would break some programs from working?
In my experience, there may be one or two poorly thought out mini-application's that self-extract to the user's temp folder and then execute from there. You will be able to add explicit hash rules to allow these executables to run.