microsoft.public.windowsxp.security_admin

Wobzo wrote:
> I have a network where the newly deplouyed Workstations were tested
> such that Domain Users were unable to install anything.
> However it has recently happened that one of the so said users
> installed GE (Google earth).
> I found this to be very concerning as this should not have been
> possible. approximately 6+ months ago, I personally tested the
> ability to install GE as a user and it was not possible.
> They also seemed to be able to install "MySpaceIM". My initial
> thought was how was the user able to enter the keys under
> "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall".
> I think this maybe launching the application under "SYSTEM"
> credentials.
> All other local accounts are disabled and users are not members of
> anything other than local users group.
> What else are people able to run under the "SYSTEM" account?
> How can I prevent the users from installing?

To add to the other reply -

You can't prevent limited users from installing software entirely, merely
based on their local group membership. As you've just seen, a lot of apps
don't require special permissions to install ...they don't write to the
restricted areas of the registry & file system.

You should look into group policy options to lock down your desktops if this
is a real concern at your company - software restriction can work well
although it can also be dangerous (play with this in a lab before
deploying). Try posting in microsoft.publicwindows.group_policy for more
help.