Software restrictions allows for this scenario by restricting software that can be executed by a user– including installers.
This can be done in two locations, but typically is done in both locations for greater security. The first location os in the computer policy, in Group policy management go to “Computer Configuration -> Windows Settings -> Security Settings -> Software restrictions Policy -> security levels” and set the policy to “Disallowed” to be enabled. (Note that you may not have that last section of Security levels until you right click software restrictions policy and create a software restriction policy.)
Secondly you do something similar to this in “User Configuration -> Windows Settings -> Security Settings -> Software restrictions Policy -> security levels”.
Remember, User policies apply to OU’s where users are stores and computer policies apply to OU’s where computers are stored… there is no benefit of applying a user policy to an OU where only computers reside, unless a child OU contains users.
The hardest part of getting software restrictions right is that by default it restricts EVERYTHING from running outside of the standard OS components– thankfully Microsoft gives us these locations and files by default when you create the policy.
There are Several ways you can allow applications to run (Or not run):
- Via a Path
- Via a FileName
- Via a MD5 HASH of the file