Group Policy editor

[flashsnaps]

Hello,

I am trying to edit group policy on a windows 2003 server.

How can I set it, so that students cannot download and install firefox because it bypasses our proxy filter - which works on Internet explorer?

Many thanks

[ajs]

You could add the Firefox setup executable and the Firefox executable itself into the list of programs that cannot be run:

User Configuration -> Administrative Templates -> System -> Don't run specified Windows applications.

However, this wouldn't stop anyone from bringing in a renamed copy of the setup or running Firefox portable and renaming the executable.

What sort of proxy filtering do you have?

[flashsnaps]

It was already in place when I got here.
It's by a company called Bloxx. Doesn't appear to be that good. I have disabled exe files in it, and it doesn't seem to do a good job on that either.
Would disabling EXE files from running in group policy be a wise move?

[Michael]

You'd be better off blocking mozilla.com and other file sharing sites where FireFox might be hosted, rather than .exe's altogether.

[Domino]

stopping the kids downloading it wouldn't stop them brining it in on cd or usb stick though.

Stopping it running in GP would be a good move - also stopping the kids being able to install apps.

Maybe also change your default gateway to be the bloxx system, thereby stopping un-proxied access to the web.

[flashsnaps]

stopping the kids downloading it wouldn't stop them brining it in on cd or usb stick though.

Stopping it running in GP would be a good move - also stopping the kids being able to install apps.

Maybe also change your default gateway to be the bloxx system, thereby stopping un-proxied access to the web.

Domino can you advise me on disabling users from installing apps

[Domino]

you can disable the windows installer with group policy http://www.microsoft.com/technet/pro....mspx?mfr=true

but this could cause issues depending on your setup.

A better, but much more involved/difficult way is to use software restriction policies - although this will take some doing

a quick forum/wiki search should bring up the right info

[flashsnaps]

Ok Thanks for your help guys

[Galway]

It might be worth noting that the Dida/Cida course says students must provide evedance of work in multiple browsers. I have the USB version of firefox setup on a network share so allow this to be achieved.

If the students are abusing this then this is a teaching / supervision issue and should be refered to the teaching staff.

Try setting up a Software restriction policy. I found it very easy to block students access to executables, and is the best way to stop students from hacking the network and use only the software provided.

If you need help then PM me and I can try to arange a time where I can show you how I achieved it.

[powdarrmonkey]

Much better would be to deny outbound traffic except which has been through your proxy, then it doesn't matter what browser is in use. You don't have to spend time running around trying to work out what's being used and how to block it, because the kids will almost always be one step ahead of you

[Roger]

You can use either of the above, FSRM is part of Server2003 R2, Sophos`s Application Control is part of Sophos Enterprise Console.

We find Sophos Application Control very easy to use, you can selected applications by name\type.
Roger

[ChrisP]

Easy to achive this with IMPERO.

I would then present the kid to their head of house as i presume this breakes your IT AUP by attemting to bypass school internet filtering.