Win account with ZERO install rights?

Discussion in 'Software' started by Mariku, Apr 19, 2011.

  1. Mariku

    Mariku Private E-2

    Hi all,

    what is the maximum extent to which one can prevent a windows user account from installing any software?

    By default, a limited account is limited in what software it allows the user to install, but still allows quite a lot of software to install nonetheless (the logic of which escapes me).

    I would prefer to limit a limited account to not allowing any installations at all, if possible.

    Any tips or tricks how to at least get close to this aim?

    THANKS!

    Matt
     
  2. techsent

    techsent Corporal

    Hey Matt,

    One option is to use the Guest account instead of limited Accounts.

    Another method would be to force restrictions on limited Accounts.

    Disable File downloads in Internet Explorer.
    http://www.pctools.com/guides/registry/detail/901/

    Disable Autoplay when usb and cd's are inserted.
    http://www.pctools.com/guides/registry/detail/1142/

    Hide Drive letters in My Computer except for C:\.
    http://www.pctools.com/guides/registry/detail/1281/

    Disable access to the cmd prompt.
    http://www.pctools.com/guides/registry/detail/1143/

    Remove Run from the Start menu.
    http://www.pctools.com/guides/registry/detail/151/

    Techsent
     
    Last edited: Apr 19, 2011
  3. Mariku

    Mariku Private E-2

    Hi again,

    thanks for the quick reply!

    Wasn't aware that the guest account really prevents any installations, does it really do that?

    Would the guest account be useful to use as an everyday normal working account then? Or does it come with any other problems that make that difficult?

    As to your other suggested methods (thanks!):

    I do some of them already, but they are all incomplete by their very nature, which is not your fault of course. It's annoying that I can't easily tell Windows to simply not allow any installs unless I'm logged in with administrator rights. Or can I?

    Hiding of drive letters does not make them inaccessible; it only prevents the non-computer-literate from accessing them really. And the c-drive is probably the one that I would most want to be hidden, if any!

    Disabling file downoad in IE would definitely help prevent non-computer-literate people from causing harm to an extent, I'll definitely do that!

    Cheers,

    Matt
     
  4. techsent

    techsent Corporal

    Hi Matt,

    You're welcome.

    Here's Microsoft's Help excerpt on the Guest account...

    What is a guest account?

    A guest account allows people to have temporary access to your computer. People using the guest account can't install software or hardware, change settings, or create a password.

    You have to turn on the guest account before it can be used. For instructions, see Turn the guest account on or off.

    Would the guest account be useful to use as an everyday normal working account then? Or does it come with any other problems that make that difficult?

    Just depends on what the computers are used for. You can enable the guest account and see how you go.

    Hiding of drive letters does not make them inaccessible; it only prevents the non-computer-literate from accessing them really. And the c-drive is probably the one that I would most want to be hidden, if any!

    If you like, you can hide the c: drive as well.

    Here's Microsoft's Group Policy excerpt on hiding the drives. As it notes, you can also disable access to mapping drives as well.

    Remove the Map and Disconnect Network Drive Options
    http://www.pctools.com/guides/registry/detail/161/

    Removes the icons representing selected hard drives from My Computer and Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box.

    To use this setting, select a drive or combination of drives in the drop-down list. To display all drives, disable this setting or select the "Do not restrict drives" option in the drop-down list.

    Note: This setting removes the drive icons. Users can still gain access to drive contents by using other methods, such as by typing the path to a directory on the drive in the Map Network Drive dialog box, in the Run dialog box, or in a command window.

    Also, this setting does not prevent users from using programs to access these drives or their contents. And, it does not prevent users from using the Disk Management snap-in to view and change drive characteristics.

    Also, see the "Prevent access to drives from My Computer" setting.

    Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.

    You'd have to use a Third party program to monitor and prevent installs from occurring. Download.com may have something available.

    Techsent
     
  5. Colemanguy

    Colemanguy MajorGeek

    I would try majorgeeks.com for software needs, not download.com
     
  6. Mariku

    Mariku Private E-2

    @techsent:

    Thanks heaps for so many detailed infos! I knew the one or other bit already and had read the Microsoft Help part, but you gave me loads of new paths to investigate again, great - now where do I find the time to do that? ...


    @Colemanguy:

    Yeah probably I would prefer that too.

    Cheers,

    Matt
     
  7. techsent

    techsent Corporal


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds