not to trow in any windows but how do you want to block portable applications that don't need installation like firefox portable etc From: darren@xxxxxxxxxxxx: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Re: Opinion on my Software Restriction PolicyDate: Wed, 11 Jun 2008 05:58:15 -0700 Pankaj- Its nearly impossible to prevent any kind of software installation, simply because software can be installed anywhere on the file system and its impossible to prevent writes to every location on the local file system. However, there are a series of things you can do to make it very difficult for users to either install or execute unwanted code. Part of that is using Software Restriction Policy-based whitelists (i.e. disallow all code as the default rule and then allow only the apps below). Part of it is using other measures including: --Making sure users are not members of the local Administrators or Power Users groups --Removing the ability for MSI packages to install outside of managed apps (i.e. those deployed via GP) by enabling the policy at Computer Configuration\Admin. Templates\Windows Components\Windows Installer\Disable Windows Installer Again, I think it’s a combination of several steps that you will need to perform to ensure that only the code you want is executed. Sincerely,Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Pankaj BhaktaSent: Tuesday, June 10, 2008 10:47 PMTo: gptalk@xxxxxxxxxxxxxxxxxxxx: [gptalk] Opinion on my Software Restriction Policy Hi, We are having a Win 2003 AD based Domain and users running Win XP SP2. The following applications are installed by our IT department on every workstation MS Office 2003 Pro IE and Firefox Win Zip Adobe Reader Sonic Record Now Plus - for burning CD/DVDs Cyberlink PowerDVD I want to setup a Software Restriction Policy to achieve the following: a) Do not permit Users to install any softwareb) All the above mentioned applications to run smoothly On a test domain I have setup a SRP as following ( User Configuration ): Default Security Level - Disallowed Enforcement Properties - All software files except libraries (such as DLLs) - All users except Local Administrators Designate File Types -Removed the .LNK from the Designated File Types Path rules The 4 default rules kept intact. Added the following %userprofile%\Start Menu\Programs%allusersprofile%\Start Menu\Programs%temp%%windir%\\myserver\netlogon\*.bat - running login scripts\\myserver\netlogon\*.vbs - running login scriptsAlthough I removed the .LNK from the Designated File Types but the shortcuts on the desktop did not seem to work so added the following path rule. %allusersprofile%\desktop\*.lnk %userprofile%\desktop\*.lnkEverything seems to be working as I wanted. All my applications that are already installed are working fine. The applications that have desktop shortcuts are working fine. Also tested and found that the users cannot install any application. To me things seems to work alright but I would still request your valued opinion & suggestion before I apply the policy on production domain. Cheers,Pankajb