What about setting the proxy settings as per-machine rather than per-user? That should prevent them from changing the keys under HKLM, assuming of course that they don't have local admin rights on the system. The only catch is that you can't configure the per-computer proxy settings directly through Group Policy. You either have to write a custom ADM for them or import a .reg file containing the settings at computer startup. See this article for more details. http://www.jsifaq.com/SF/Tips/Tip.aspx?id=10097 Blocking direct port 80 outbound connections is the way most people do it, but this should work for you. //signed// Jamie R Nelson Systems Engineer Ingenium Corporation ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Thursday, June 07, 2007 10:04 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: vb scripts running from USB keys You might be able to restrict this using Software Restriction Policy (assuming your clients are XP and above). I'm not sure if you use other "legitimate" .vbs scripts in your environment, but you could use SRP to block execution of cscript.exe and wscript.exe and that would prevent all WSH scripts from running. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Christine Whitewood Sent: Thursday, June 07, 2007 5:09 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: vb scripts running from USB keys Yes you are correct, I was hoping there would be a way with GPO Chris Whitewood Network Administrator St Francis Xavier College Beaconsfield/Berwick ________________________________ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Nelson, Jamie R Contr 72 CS/SCBAF Sent: Friday, 8 June 2007 10:02 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: vb scripts running from USB keys I assume you mean that they are getting to websites they are not supposed to by turning off the proxy settings in their browsers? If that is the case then you should block port 80 traffic outbound (only allowing your proxy server out) on your external router so that users can't get to the internet unless it is through your web proxy. That or run a transparent proxy service. If I am incorrect, please explain in more detail. //signed// Jamie R Nelson Systems Engineer Ingenium Corporation ________________________________ From: Christine Whitewood Sent: Thu 6/7/2007 5:37 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] vb scripts running from USB keys Can anyone tell me how to stop this happening? Our students are running scripts that get them round our proxy. Regards Chris Whitewood Network Administrator St Francis Xavier College Beaconsfield/Berwick