Announcement

Collapse
No announcement yet.

Stop .exe launching

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Stop .exe launching

    We have just started using the shared computer toolkit and disk protection and this has saved us man hours and headaches with relation to users using trying to run there own software on our network.

    But as qucikly as we try to sort out the users, they will always find a way to run there own apps.

    We are therefore looking to disable users from running .exe or .msi files from there own H: drive or USB pen.

    Has anyone had any joy or used such a system.

  • #2
    Re: Stop .exe launching

    If you're specifically worried about apps running from USB removable disks, you may want to read this article:

    How can I prevent users from using USB removable disks (USB flash drives) by using Group Policy (GPO)?

    Are your users power users on their own computers, or just users, or local admins?
    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Stop .exe launching

      Yep due to the software we run on the network, users are assigned as power users.

      We have looked at registry hacks for Autocad etc before so we do not need to assign power user status, but they never work.

      Chris

      Comment


      • #4
        Re: Stop .exe launching

        Does your company have a computer usage policy? I bring this up because where I work, our users are also power users, but the fear of the usage policy (e.g. getting in trouble / fired) stops a large percentage of them from even trying.

        Thankfully some apps need admin access to be installed. Gotta love telling someone they can't have iTunes at work "But I can play Windows Media Player at work, there's no difference!" "If there's no difference, then you can use WMP, right? Right." (we let them play music CDs at work)

        Back to the subject on hand, I can't think of a way to block exe's, or at least specific ones.
        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Stop .exe launching

          Yep we do, but our users are students and from our experience will try almost anything to get around policies and procedures.

          We will try and identify apps that they are running and block from the gpo, if we cannot find any other method.

          Cheers

          Comment


          • #6
            Re: Stop .exe launching

            I'm going to tell you now, the solution lies in the registry and what happens to .EXE files. You will need to change this behavior to go through a "broker" so-to-speak that arbitrates whether or not the EXE should run. Not a simple (but not an impossible) task.

            Also let me state, I have not seen this done so this would be an exploratory process for me as well. I just know this is where you'll need to address the problem should you wish a ubiquitous solution.
            Last edited by rvalstar; 6th December 2006, 18:36.
            Cheers,

            Rick

            ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

            2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

            Comment


            • #7
              Re: Stop .exe launching

              If you're running 2003 (I don't think it's an option in 2000) than you can use Software Restrictions. You can either block specific programs or you can block everything and only allow specific programs.
              Regards,
              Jeremy

              Network Consultant/Engineer
              Baltimore - Washington area and beyond
              www.gma-cpa.com

              Comment


              • #8
                Re: Stop .exe launching

                Software restrictions via the domain gpo on all drives other then C:\ this has enabled us to block users from running .exe/msi bat scripts etc from removable devices.

                Many Thanks

                Comment


                • #9
                  Re: Thanks for sharing

                  Thanks for sharing your answer with us! I'm sure others will also benefit from knowing what was wrong and how you fixed it.



                  However, we'de appreciate it if you could grant some reputation points to the user that helped you. Just click on the little Yin-Yang icon on the right of the user's answer and follow the prompt.
                  Cheers,

                  Daniel Petri
                  Microsoft Most Valuable Professional - Active Directory Directory Services
                  MCSA/E, MCTS, MCITP, MCT

                  Comment

                  Working...
                  X