Internet Explorer 7

[tomscaper]

Hi

Sorry if this has been posted elsewhere i tried searching IE7 and Internet Explorer 7 but i havn't found anything yet.

We have just recently deployed IE7 around school, and i have recently noticed that the students are able to click on any exe, msi or any addons, and install them.

Would it be possible to have a look at anyones group policy settings to see if i have missed anything when i was locking it down.

Currently students cannot save files they click on but they are still able to run them directly.

I have been able to block exe and msi from our proxy but previously with IE6 the students were unable to download and run any files through internet explorer, but other file types will still be able to run.

[ZeroHour]

Ahh this gotcha, its not IE7 related specifically as IE6 could run downloads too.
Try adding a file execution policy block on:
C:\Documents and Settings\*\Local Settings\Temporary Internet Files
as thats the location that "run" exe's etc are actually run from.

[Michael]

I agree this is an Internet Explorer behaviour and there isn't a policy to switch it off unfortunately. It happens in IE5, 6, 7 and 8.

Zerohour's suggestion is a good one, but I am not sure if this would stop users opening PDFs or Word documents within IE as well?

[tomscaper]

I agree this is an Internet Explorer behaviour and there isn't a policy to switch it off unfortunately. It happens in IE5, 6, 7 and 8.

Zerohour's suggestion is a good one, but I am not sure if this would stop users opening PDFs or Word documents within IE as well?

Thats my main problem i want to stop specific files but not disable the others that are legitimate, I have been able to set it so that office docs open in there program rather than IE

I have been looking into this today and i think that something else has been changed as both staff and students can now install from cd.

Is there a policy with in windows to stop any kind of installtion unless administrator.

[Michael]

You could always remove access to D:\ altogether if access to disc drives aren't required. Hiding/restricting access to C:\ should stop most applications installing, but more common 'attempts' should be blocked using Software Restriction Policies.

[ZeroHour]

Zerohour's suggestion is a good one, but I am not sure if this would stop users opening PDFs or Word documents within IE as well?

It doesnt block things like that for us. Just the extensions we want like exe's etc.
PDF can open inside IE or do anything.

[Michael]

It doesnt block things like that for us. Just the extensions we want like exe's etc.
PDF can open inside IE or do anything.

That's good to know It's never bothered me too much even if users do run exe's, as nothing is displayed due to controlled Desktops/Start Menus. They soon get bored and machines get re-imaged eventually.