My network has WinXP Pro computers and uses NT and Netware servers. Does anyone have a recommendation for the best way to prevent a user from downloading/installing unauthorized files? Unfortunately, they use a program that will not work correctly unless the user is a member of the local Administrators group. So, I can't demote them to Power Users or Users. I have experimented in the past with creating a custom build of Internet Explorer using the IEAK. But, unless I'm doing something wrong, IE security will affect all users of the computer, including my own account. Bear in mind that some of my users are pretty computer-smart, so I have to have something that is airtight. Also, I'm working on limited funds, so it would need to be cheap or free. Any ideas?

Hi dazed&confused, I am in no way an expert when it comes to networking but I did some research to see what I could come up with that MIGHT help you. I am simply suggesting it, and it will be up to you to decide its relevance. I'm just attempting to be helpful :D .

Here you go:
http://www.statonline.com/solutions/intrusion_prevention/features.asp

I really don't know if that is what your looking for however it was the most relevant source I could run across.

Hope it helps and good luck to you. Post back its relevance so that way I and all the others on the forum know :p .

I appreciate the suggestion, but this seems to be pretty "heavyweight" for what I need. I work for the Federal Government, so the security is iron clad from the outside. But, security from the inside is less than perfect. I just keep thinking there MUST be a way to tweak Windows in order to keep a user from downloads and installations without having to purchase an entire security suite. Any other suggestions?

I may have found something else which may work. The program is called 1st Security Agent.

There are a wide array of limitation you can set and I have been using it for some time to limit Guest user right on my Windows XP Professional platform (especially unauthorized file downloads and changing the array of settings windows allows with normal installation).

I would highly recommend the program as it is very easy to navigate with a simple interface but I am uncertain if it will suffice your needs.

I am uncertain as to whether the 1st Security Agent program could have network implemenatations as you require, however it is worth a shot to look. In addition, if that may not help I would navigate around their website and possible ask them if they know of a similar program as 1st Security Agent for limiting access to users on a network.

Here is the creators web-site:

http://www.softheap.com/newadmin.html

Hope this helps and be sure to post back with more feedback.

I'm sorry -- I must have miscommunicated the problem. Let me describe my needs in different terms. I need a local utility (as opposed to a network implementation) to control one or two specific users who are a little too computer savvy. Unfortunately, I must give them Administrator rights locally (on the individual PC) so that they can use our software. So, it would not do me any good to be able to restrict the "Guest" account, or any other of the local user groups, because the users must be a member of the "Administrators" group.

I may be looking for something that does not exist, but I need a way to distinguish security levels among LOCAL user accounts, even though they are all members of the Administrators group. You see, I have to be careful what I try or else I am liable to lock down my own account, as well, after which time I may not be able to reverse the changes I made.

I could also describe the scenario this way --- Two network administrators share a WinXP computer. One of them does not want the other one to be able to install any programs or download any *.ZIP or *.EXE files. However, the security restriction should not be any stronger than is absolutely necessary, so that Administator #2 can continue his daily work. The quickest answer is to disable downloads in IE. But, remember this is a savvy computer user, so it needs to be something that is not so easily reversible.

I appreciate the suggestions, but I'm looking for a local, lightweight, and free utility. Anyone?

Is the user in question savvy enough to be familiar and competent with the gpedit MMC snap-in?

Forgive me if you have thought of this, but you could disable downloads in Internet Options, and then through gpedit you could disable the various pages (ie, the Security page) in the Internet Control Panel. This will remove the security options tab from Internet Options.The user would then have to reverse this in gpedit, then change the download settings in Internet Options>Security. It's a few more steps the user would have to take to reverse the changes. Maybe he/she would get the message then.

The above program I mentioned makes the changes (automatically; as with a check box) by means I assume that Malcore has described manually. The program allows you to password protect the program itself so that only certain knowledgable individuals with the user password will be able to access it and change the required settings (e.g. to disable file downloads in IE).


LET ME BREAK IT DOWN HOW SIMPLE THIS PROGRAM CHANGES COULD BE EVEN WITH 24 CHANGES IN SETTINGS:

1)All you do is make the changes and EXPORT the settings profile somewhere on your local hard drive (or a floppy disk) where it would be safe to limit the other users account.

2)Then EXPORT your settings via the program in a safe location (such as a floppy disk) so that you would easily be able to access the program and IMPORT your settings profile and have NO LIMITATIONS WHAT-SO-EVER.


For the account ADMIN you could use this in order to prevent the user from changing the settings back unless he knows the 1st Security Agent password. It may sound like a hassle however it is a very simple task, I try out MANY programs and it is by far one of the best I have run across thus far for the particular objective you're trying to accomplish.


If the settings you decided to change were very few then the following would suffice if you had accessed the program a few times and knew by memory where to change the settings:

To reverse the disabling of file downloads (and whatever limitation you wished to implement) all you would have to do is enter the password to gain access to the program interface and check the box (e.g for DISABLE FILE DOWNLOADS IN IE) and you would have the ability to download files again/ (AND IT DOES NOT REQUIRE A REBOOT FOR THE SETTINGS TO TAKE PLACE IMMEDIATELY). Keep in mind that there are a few setting that do require reboot depending upon what you are looking to change...



I apoligize for my misunderstanding, but this program IS NOT for networking capabilities, I am certain it is for a single PC which shares Windows XP. Unfortunately it does cost money which seems to be an important matter.

Please let us know if this helps and I apoligize for any misunderstandings. Sometimes I have problems comprehending what I read.

I now know EXACTLY what you are looking for... I will continue to look around for something which is similar to the above mentioned and for no money. In addition, I will attempt to see if I can find a program that is more hassle-free (however I am certain the above program is about as good as I can find in order to restrict savvy computer personnel).:cool: