microsoft.public.windowsxp.security_admin

Actually, there is no specific code within Windows that determines "Limited
users cannot install software"

A Limited User is only able to write to the HKCU registry section, and to
disk folders with in his/her own profile, plus a few in All Users. This has
the effect that most setup programs won't work, as they need to write to
"Program Files" and to the HKLM registry.

However, it is perfectly possible to write an installer that works within
these limitations.

One possible fix is to bar the execution of programs from within the user's
profile. This has the added benefit of preventing downloaded programs being
run. BeyondLogic's TrustNoExe does this and is very effective, though not
suitable for every situation. Worth a look anyway.

If the user has access to network shares, then of course they may also be
able to save downloaded programs there, and run them.

"Wobzo" wrote:

> I have a network where the newly deplouyed Workstations were tested such that
> Domain Users were unable to install anything.
> However it has recently happened that one of the so said users installed GE
> (Google earth).
> I found this to be very concerning as this should not have been possible.
> approximately 6+ months ago, I personally tested the ability to install GE as
> a user and it was not possible.
> They also seemed to be able to install "MySpaceIM". My initial thought was
> how was the user able to enter the keys under
> "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall".
> I think this maybe launching the application under "SYSTEM" credentials.
> All other local accounts are disabled and users are not members of anything
> other than local users group.
> What else are people able to run under the "SYSTEM" account?
> How can I prevent the users from installing?