[gptalk] Start on Software Restriction Policy

  • From: "Pankaj Bhakta" <bhakta@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 27 May 2008 23:27:09 +1200

Can someone please give me a start on Software Restriction Policy.

My environment is Win 2003 DC, and Win XP Pro desktops and Laptops.

I have two OU ie Desktops OU and Laptops OU

I require want to restrict users from downloading and installing games and
other files.

I was under the impression that by default users cannot install any software
on their desktop. 

As a test case, I logged in as a domain users and tried to install a program
called Sherif Draw Plus and found that it requires admin priviledge. 

However, from the same desktop when I downloaded SKYPE, I was able to
install it under the same user's login. 
I tried the same with Audacity and I was able to install it.

I am now confused. 

After reading a few materials on the net, I am about to give a start to
implement a Software Restriction Policy but I found that one school of
thought says that you should start by Implementing a Policy that would
disallow everything and add only rules to run the software we require.

The other school says that it is not safe and we should use the unrestricted
option with path rule to stop applications that we do not want to run.

Our general desktop users run MS office, IE, Firefox. We also run a vbs
login script to map the drives and printers.

I went though the archive and could not find anything on the best practices.
Since this forum is for the pros, I would seek your guidance. 

Thanks in advance,


Other related posts: