Restrict normal user program installation on windows XP RRS feed

  • Question

  • I would like to restrict normal desktop users to install shareware, freeware or other programs onto C: drive on the desktop. Can someone please enlighten ?  Thanks

    Tuesday, June 2, 2009 6:12 AM


All replies

  • perhaps you can use GPO to restrict it.

    Wednesday, June 3, 2009 4:10 AM
  • You could publish the applications you want your users to be able to install via Group Policy. They could then install via Add/Remove Programs.
    Wednesday, June 3, 2009 8:35 PM
  • By "normal desktop users" on Windows XP, I assume you mean "running as administrator on the local machine".  I don't know of a way, other than setting them up as standard non-admin users (which has it's own set of problems on Windows XP) that you would be able to enforce this.

    Good news is that in Windows 7 we have AppLocker, which can be applied through policy.  This will allow you to create rules against applications, installers, and scripts - and build rules that look at version or publisher information.  You can create white-lists of the applications/installers/scripts that you will allow, and block everything else.

    For now, I suggest that you search for some good information (I'm sure there's plenty out there) on how to effectively set your users up as non-admins running on XP. 

    Kevin Remde US IT Evangelism - Microsoft Corporation http://blogs.technet.com/kevinremde
    Saturday, June 6, 2009 12:00 PM
  • In my experience with this type of thing, there are so many applications that need local admin rights, getting the "standard user" is rather difficult.  You might be able to use Software Restriction Policies in a GPO with certificate based rules to prevent MSI installs and perhaps a Hash or Path rule to prevent installed applications from running, but I do not know of any way to ensure no installations.

    There are also things to keep in mind about management of the environment.  Being able to work on issues while a user is logged in can be a lifesaver.  Not a best practice, but quite practical.  In XP there is not really a great way to have both restricted and full access (other than run as).  I have found changing user rights a good idea, if you can get it to work or have systems where Local Admin isnt required by an application, but it will take some getting used to to login as admin before making changes.

    Hope this helps

    Derek Schauland, MCSE | Microsoft MVP - File System Storage | Technology Addict
    Thursday, July 9, 2009 1:57 PM
  • hi,

    here is GPO details for your issue ;



    Mumin CICEK | Exchange - MVP | www.cozumpark.com | www.mumincicek.com
    • Marked as answer by Kevin Remde Sunday, July 12, 2009 4:53 PM
    Sunday, July 12, 2009 4:29 AM