disable .exe files in My Documents

[Baker72]

I have a W2k3 SP1 server, which the users login via Terminal server. The My
Documents folder is re-routed to another server. I need to stop the user from
installing and running .exe files from they "My Documents". Upgrading to W2K3
R2 is not an option for now...

Any ideas

 

[Thee Chicago Wolf]

Re: disable .exe files in My Documents

>I have a W2k3 SP1 server, which the users login via Terminal server. The My
>Documents folder is re-routed to another server. I need to stop the user from
>installing and running .exe files from they "My Documents". Upgrading to W2K3
>R2 is not an option for now...
>
>Any ideas

Sure. Try this: Start > Run > gpedit.msc OR if you've got a policy set
up, apply it to your specific policy

Navigate to the following keys and turn these on:

Local Computer Policy > Computer Config > Windows Settings > Security
Settings > Software Restriction Policies > Additional Rules

You should be able to set up a simple PATH rule to My Documents
disallowing *.exe, that should do it for that folder. If you need to
put it on other My Doc. folders, do as you see fit.


Next...
Local Computer Policy > Computer Config > Administrative Templates >
Windows Components > Windows Installer
-----------------------------------------------------------------------------------------------------------
Always Install With Elevated Privileges = Disabled
Enable User Control Over Install = Disabled
Prohibit User Installs = Enabled, User Install Behavior = Prohibit
Installs

The above should turn off the ability for anyone to install junk. They
pretty much speak for themselves.


Lastly...
User Configuration > Administrative Templates > Windows Components >
Windows Installer
-----------------------------------------------------------------------------------------------------------
Always install with elevated Privileges = Disabled
Prevent removable media source for any install = Enabled

If you need to, adjust these as well. Should put the hammer down on
those philistines. ;-)

Let me know how it goes.

- Thee Chicago Wolf

 

[Baker72]

Re: disable .exe files in My Documents

Wow, that is what I call detail information. Thanks man!!!

One more question. The policies should I configured them in the server that
they connect to, or the server where the My documents is located? I assumed
that is the one that they connect to...

"Thee Chicago Wolf" wrote:

> >I have a W2k3 SP1 server, which the users login via Terminal server. The My
> >Documents folder is re-routed to another server. I need to stop the user from
> >installing and running .exe files from they "My Documents". Upgrading to W2K3
> >R2 is not an option for now...
> >
> >Any ideas
>
> Sure. Try this: Start > Run > gpedit.msc OR if you've got a policy set
> up, apply it to your specific policy
>
> Navigate to the following keys and turn these on:
>
> Local Computer Policy > Computer Config > Windows Settings > Security
> Settings > Software Restriction Policies > Additional Rules
>
> You should be able to set up a simple PATH rule to My Documents
> disallowing *.exe, that should do it for that folder. If you need to
> put it on other My Doc. folders, do as you see fit.
>
>
> Next...
> Local Computer Policy > Computer Config > Administrative Templates >
> Windows Components > Windows Installer
> -----------------------------------------------------------------------------------------------------------
> Always Install With Elevated Privileges = Disabled
> Enable User Control Over Install = Disabled
> Prohibit User Installs = Enabled, User Install Behavior = Prohibit
> Installs
>
> The above should turn off the ability for anyone to install junk. They
> pretty much speak for themselves.
>
>
> Lastly...
> User Configuration > Administrative Templates > Windows Components >
> Windows Installer
> -----------------------------------------------------------------------------------------------------------
> Always install with elevated Privileges = Disabled
> Prevent removable media source for any install = Enabled
>
> If you need to, adjust these as well. Should put the hammer down on
> those philistines. ;-)
>
> Let me know how it goes.
>
> - Thee Chicago Wolf
>

 

[Thee Chicago Wolf]

Re: disable .exe files in My Documents

>Wow, that is what I call detail information. Thanks man!!!
>
>One more question. The policies should I configured them in the server that
>they connect to, or the server where the My documents is located? I assumed
>that is the one that they connect to...

On the server should be fine. Remember that these might also affect
the Admin account as well so you might have to temporarily disable
them to install stuff. However, I've only ever seen it complain with
MSI's. In any case, I don't know too many admins who install stuff on
their servers to have to worry about it. It's be interesting to see
how it works for you. Let me know, ok?

- Thee Chicago Wolf