InDublin

Jul 27 2005, 07:42 PM

Hello there
Users need permissions to install applications, and in most situations users don't have the
necessary administrative rights, or permissions to do so.
Here's a link to the MS site, where they explain the permissions needed to install different
types of applications.
h**p://msdn.microsoft.com/library/default.asp?url=/library/enus/e2k3/e2k3/_techsel_criteria_20.asp
Assuming that you are using NTFS you should be able to set permissions to restrict who
can install applications. If you are not using NTFS you should convert your drives to
NTFS to benifit from it's security.
Caution: NTFS partitions are not accessible locally from operating systems like
Windows 98 and Windows 95. So, if you're dual booting with these operating systems, do
not convert to NTFS!
The convert command can be used from a command prompt as follows:
convert d: /fs:ntfs
The drive letter d: can be replaced by any drive letter to convert that drive...
Group policy is another option, where you can set software restriction policies to prevent
or allow certain applications to be run.
There are two situations you might be in with this XP PC...
1. If the PC's are part of a domain you can restrict all or several PCs by configuring a
group policy in active directory.
2. If the PC is a stand alone, home PC or in a workgroup you can configure software
restrictions through it's local group policy.
To open the local computer policy run:
GPEDIT.MSC
In a group policy, to restrict software navigate to the following area.
Computer Configuration/Windows Settings/Security Settings

There you'll find a container for software restriction policies.

There are no policies there usually, and if not you'll need to set them up. But it's easy to
do. Just right click the software restriction policies container and choose new software
restriction policies.
Then below software restriction policies, right click Additional Rules, and choose "New
Hash Rule", then simply browse to the .exe for the software you want to restrict and set it
to "disallowed".
To see the effects, you can refresh your policy settings by restarting the PC, or by running
GPUPDATE.
I hope this helps..
Damian

Date: Wed, 23 Jul 2003 18:39:37 +0200

Hi,
In non-domain environment you can create software restriction policy for
cmd.exe and command.com. You can do it in Group Policy.
Open Group policy -> expand Computer Configuration -> Security Settings ->
Software Restriction Policies! Right click additional rule and my suggestion
is Hash rule. It is most reliable but it is still possible to get around it.
E.g. applying service pack might change e.g. cmd.exe. This will most likely
change the hash and users will be able to run cmd.exe command.
In domain environment you can e.g. change permission on file and give only
admins e.g. full control and remove all other users and groups...
Open Group policy -> expand Computer Configuration -> Security Settings ->
File System. Add file from c:\windows\system32\cmd.exe and select who has
any rights on it...
Good luck :-)
-Mike
MCSA 2K, MCSE 2K, MCT, ...
"zuhair" <comp_kaz@yahoo.com> wrote in message
news:0d3601c3512d$a9e0b540$a601280a@phx.gbl...
> Any one knows how to restrict command prompt in proup
> policy