Preventing users from installing software.
Users love to install stuff on their computers—I’m thinking Google toolbar, Yahoo toolbar, Skype and so on. Unfortunately many business don’t want users to be able to do this because if installing such software should destabilize their systems, support costs will escalate.
What are some of the ways you can try to prevent users from installing software on their computers?
First, make sure users are ordinary users and not members of the Power Users or Administrators local groups on their machines.
This should always be your first line of defense.
Second, you can implement software restriction policy using Group Policy to block specific executables or msi files from being run on targeted users’ machines.
Third, (AND MOST IMPORTANTLY!) you can block users from accessing the websites where they can download such software by configuring your perimeter firewall/proxy server.
And fourth, you could implement mandatory user profiles.
There are many ways to do it and you creativity and imagination is all that limits you. Good luck and if you need more specific advice let me know!
You are right, first a complete study needs to be done with regards to all the applications that you have in your organisation and the rights that are needed to work on these applications.
I have come across many such custom bulit applications that require a user to have administrator rights to even execute !!!!
The best way is to identify a single machine, make it a test bed for all applications and check each application individually .
You could partially prevent software installations by disabling the windows installer through a GPO, but since not all applications use the windows installer, this is not a complete solution.
To disable it, open the appropriate GPO in the Group Policty Management editor and enable the ‘disable windows installer’ option in Computer Configuration -> Policies -> Administrative templates -> Windows components -> Windows installer.