Software Restriction Policies - Allow ONLY certain software
What's been everyones experience with allowing only a certain set of software? I'd like to make it so that only school applications can be run. No matter how much I try to restrict IE, students are always going to bring in more applications. They'll keep downloading their exe's and their iso's and their vb scripts and running them, but what I'd like to do is make it so only select software applications can be run.
I tried to block other web browsers etc. and make every user not a local administrator so they didn't have access to installing software, but then they go ahead and either install it to their network drive, or install it to the desktop, and it works perfectly.
Is there a way to use software restriction policies to only allow a certain set of applications to be run? For example only the preinstalled applications that I install with each image? My only concern is how well software restriction policies work. If they're as good as Apple's parental controls where you click the app you don't want them to run and your good to go, or if you have to hash every single DLL and system file required by each program. For a program like Adobe Premiere or Microsoft Office, that's a few hundred seperate hashes for each program that have to be fed through software restriction. Is it smart enough to just pick up the exe that's allowed, like WinWord.exe for Microsoft Word, realize Word is allowed, and use all features of Word? Or is there a better way that my mind is too busy to think of?
Re: Software Restriction Policies - Allow ONLY certain softw
I used to use software restriction policies. It is a major headache to setup, you need to allow all exes for each app. It does work well though. The only reason I don't use it now is because I recreated the pupil policy from scratch and never got around to putting the very lengthy list of apps back on
Re: Software Restriction Policies - Allow ONLY certain software
Software restriction policies in Group Policy will do this, but as mentioned it is tricky to setup.
We allow all EXE's in the c:\program files and c:\windows directory, as well as a few others that were installed elsewhere. We disallowed everywhere else. It took a while to get the correct list of allowed applications and directories, but once it was setup, it worked a treat.