Points taken...However, my original point was that a typical user (non-administrator) does not have write access to HKLM\Software Key. Assuming a Windows 2000 Box with SP 3 your permission set for HKLM\Software is? Administrators and System = Full Control Users and TS Users = Read (Let's assume you have removed Power Users) Let's also assume you have created a Global Group named FARM_ACCESS and a local group named FARM_ACCESS. Add your GG to LG. You "lock" down access to "Log on Local" and "Access this computer via the network" with the FARM_ACCESS and Admins only. (Normal stuff) You modify the NTFS permissions on C: to (LG)Farm_access=RO (although some directories will require change), LocalAdmins=Full, System=Full.....Let's assume for this exercise that FARM_ACCESS has RO to Program Files and Administrators + System have Full Control. The user that logs on has NO administrative rights and NO access to install programs on the Terminal Server. For your IE policies you have customized the security settings for Internet and performed all the "normal" modifications: Downloads Disable File Downloads Disable Font Downloads Active X Download unsigned controls = Disabled Unsafe controls = Disabled Misc Disable Drag and Drop Disable launching applications Etc............... In addition, you have made the typical GP adjustments like......... 1. Deny Access to local drives 2. Blah...Blah...Blah... The user should not be able to download or install anything on the server. Except, they can goto Hotbar.com and the installation WILL run. Even with these restrictions in place the Active X component will install the program. As stated earlier, my resolution to this (rather than completely disallowing internet access), was to leave the Hotbar directory intact and set Everyone to Deny. This resolved the problem. You should also disable access to the site in Proxy Server or your Firewall. I did this on the Proxy Side. I am interested to know how this program was able to install with all these restrictions in effect. I meant to take additional time to research this but got sidetracked. Thanks. Murphy -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Braebaum, Neil Sent: Thursday, February 06, 2003 7:57 AM To: 'thin@xxxxxxxxxxxxx' Comments inline... > -----Original Message----- > From: Brian Murphy [mailto:bem9127@xxxxxxxxx] > Sent: 06 February 2003 13:49 > To: thin@xxxxxxxxxxxxx > Subject: [THIN] Re: Installing Programs on the Server > Importance: Low > > You don't seem to need admin rights to install the Hotbar. It uses an > ActiveX control for the installation via the website. Then you need admin rights, and / or conducive DACLs on both (probably) the local filesystem, and hives of the registry that *users* shouldn't be able to modify. > I have seen the problem before. You can't restrict ActiveX in IE > unless you want your users to be prompted every > 5 seconds when browsing the internet. You can, unless you don't want to exercise some semblance of control over what happens with communal server resource. ActiveX can be restricted by various means - often done at firewall level, never mind any local restrictions. > My resolution to the > problem was to leave the Hotbar directory intact under C:\Program > Files and then change the NTFS permissions to "Deny" Everyone. Then > you need to remove the registry key under HKLM\Software and I believe > a corresponding key under HKCU\Software You would allow a normal user to modify HKLM in the first place??? > This will keep them from being able to reinstall because the > installation will fail when it tries to reinstall into Program Files. Stop them in the first place - unless you have a business need for them to have free reign - in which case perhaps terminal server is not the most appropriate choice - perhaps a normal desktop / PC solution would be better. It's decidedly difficult to manage a scenario where terminal server users can modify the local server - and it destroys a lot of the advantages. Neil *********************************************************************** This e-mail and its attachments are intended for the above named recipient(s) only and are confidential and may be privileged. If they have come to you in error you must take no action based on them, nor must you copy or disclose them or any part of their contents to any person or organisation; please notify the sender immediately and delete this e-mail and its attachments from your computer system. Please note that Internet communications are not necessarily secure and may be changed, intercepted or corrupted. We advise that you understand and observe this lack of security when e-mailing us and we will not accept any liability for any such changes, interceptions or corruptions. Although we have taken steps to ensure that this e-mail and its attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free. Copyright in this e-mail and attachments created by us belongs to Littlewoods. Littlewoods takes steps to prohibit the transmission of offensive, obscene or discriminatory material. If this message contains inappropriate material please forward the e-mail intact to postmaster@xxxxxxxxxxxxxxxxx and it will be investigated. Statements and opinions contained in this e-mail may not necessarily represent those of Littlewoods. Please note that e-mail communication may be monitored. Registered office: Littlewoods Retail Limited, Sir John Moores Building, 100 Old Hall Street, Liverpool, L70 1AB Registered no: 421258 http://www.littlewoods.com *********************************************************************** ******************************************** This Week's Sponsor: triCerat Inc. Let triCerat simplify the administration of your Terminal Servers. http://www.triCerat.com ******************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************** This Week's Sponsor: triCerat Inc. Let triCerat simplify the administration of your Terminal Servers. http://www.triCerat.com ******************************************** For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm