Go Back   Tech Support Forum > Microsoft Support > Windows XP Support

Block downloading onto Windows XP

This is a discussion on Block downloading onto Windows XP within the Windows XP Support forums, part of the Tech Support Forum category. Our office has a standard ADSL connection networked into 5 XP Pro PCs, each one running a copy of Norton


Closed Thread
 
Thread Tools Search this Thread
Old 02-24-2005, 03:44 AM   #1
Registered Member
 
Join Date: Jul 2004
Posts: 160
OS: Windows XP Pro and Home



Our office has a standard ADSL connection networked into 5 XP Pro PCs, each one running a copy of Norton Internet Security 2003 with latest LiveUpdate files always automatically installed.

One of the guys at work keeps downloading rubbish like MSN messenger and YIM onto one of the machines. I have repreatedly deleted them, and he just re-downloads no matter how much I tell him not to. Internet access is essential on that PC though as it's used to collect our emails and general web browsing by the staff who are not one of the 4 with access at their desk.

Quite simply I would like to know if anyone knows of a way to block all downloads onto that PC unless pre-approved. I want Windows Update and Norton LiveUpdate to continue receiving files, but I don't want him to keep downloading, especially as he always seems to pick programs riddled with malware.

Any help appreciated

__________________
theduck is offline  
Old 02-24-2005, 05:20 AM   #2
TSF Team Emeritus
 
Join Date: Oct 2004
Location: Omaha, The Center of the Universe
Posts: 7,633
OS: WinXP, Win2K3

My System

You can configure the IE security settings to not allow downloads then lock the security settings in group policy. This will still allow Norton and windows to download updates.
Preventing the use of instant messaging is difficult. Simple port blocking firewalls will not be effective because clients can use common destination ports such as HTTP port 80 and FTP port 21. Most of the clients will even auto-configure themselves to use other ports than the default one if they are unable to communicate over the default port. Best practice is to lock down the machine with group policy.

__________________
crazijoe is offline  
Old 02-24-2005, 05:44 AM   #3
Registered Member
 
Join Date: Jul 2004
Posts: 160
OS: Windows XP Pro and Home


Thanks for the advice and I don't believe how dim I'm about to sound but....... could you talk me through how to do that? (theress no emoticon hree for shame!)

Also I nearly forgot, will Outlook Express still operate ok with this setup or will it be a simple case of going into the NIS Firewall settigns and allowing communications on ports 80 and 110?
__________________
theduck is offline  
Old 02-24-2005, 08:44 AM   #4
Registered User
 
Billy Brethren's Avatar
 
Join Date: Jan 2005
Posts: 350
OS: WinXP



Quote:
One of the guys at work keeps downloading rubbish like MSN messenger and YIM onto one of the machines. I have repreatedly deleted them, and he just re-downloads no matter how much I tell him not to. Internet access is essential on that PC though as it's used to collect our emails and general web browsing by the staff who are not one of the 4 with access at their desk.
Personally I think that you should fire him, or have him fired. If you are responsible for the Computer Security, you should do whatever you can to get rid of him, or report him to whoever has the authority to get rid of him.

You don't have a computer problem, you have a User problem and his continued existance in your company represents an ongoing threat to the data of not only his workstation, but everyone else's as well.

A determined User can get around a lot of security barriers. Furthermore, it demoralizes all the other employees to have these types of restrictions put in place in order to control one rather stupid, willful and destructive personality. And terminating this idiot's employment will serve to underscore the importance of maintaining good computer security, particularly when the financial interests of the entire company is at stake.

At the very least, you should copy and print this out, and post it in a public place so that everyone, particularly the idiot, can see exactly what an anonymous stranger thinks of him, sight unseen.
__________________
Billy Brethren is offline  
Old 02-24-2005, 08:59 AM   #5
Registered Member
 
Join Date: Jul 2004
Posts: 160
OS: Windows XP Pro and Home


Well my theory is he's a good employee, it's only when he has nothing to do he downloads this little things he thinks are harmless. It'd be more demoralising to a company my size (only about 25/30 of us) to take action against him as such, so if I can just get a block on that computer, I can tell everyone "it's general security. Who else in this office knows what malware even is?" as I KNOW I'm the only one who does. They won't care they only use it to look up British Standards website and other such resources.

My main concern is things getting on there without my knowledge. i don't mind users installing their own software, just as long as I know what it is and have approved it, but I work on a different floor so I can't keep an eye on that workstation like I do the others
__________________
theduck is offline  
Old 02-24-2005, 09:44 AM   #6
TSF Team Emeritus
 
Join Date: Oct 2004
Location: Omaha, The Center of the Universe
Posts: 7,633
OS: WinXP, Win2K3

My System

Are you using Active Directory?
If the problem is with a single user you could just set him in a different group with more restrictions. This way it doesn't effect the other users.
To disable downloads in IE. Click on Tools, Click on Internet Options, Go to the Security tab, Click on the Custom Level button, scroll down to File Download and disable, then click OK twice. Then go into you Group Policy MMC and disable the IE security option.
I am a systems administrator for a company of around 40 workstations. We implement GP because of the ignorance and the intellegence of the users. It's not just because the person is smart enough to "try" and work around the security measures, but to keep the not so computer savy people from screwing things up. I'd say lock down the workstations. They are getting paid to work and not go shopping or IMing their friends on company computers. You could also implement a Website restriction program like webinspector. This way they can only go to websites you athorize them to go to.
Call ne a NetworkNazi but sometimes you need to experience a catastrophe of a open policy to relize that some things need to be done.
__________________
crazijoe is offline  
Old 02-25-2005, 02:16 AM   #7
Registered Member
 
Join Date: Jul 2004
Posts: 160
OS: Windows XP Pro and Home


Well really I don't care overly about web surfing because there are times when any member of staff might have up to 2 hours with absolutely no work to do, and the directors policy is as long as work is done, you can spend your spare time surfing, just as long as the websites aren't adult or illegal content. There are only the 2 accounts on that PC, Technical which is the admin account that I can use to correct any problems and Users which everyone else uses as they don't have the Technical password. I will go and put on that download block now and that should hopefully solve the problems. If he wants to surf around websites he's more than welcome to but as you say it's the lack of computer savy that makes it a dangerous situation. I saw him yesterday about to click OK in an installation that was informing him that NewDotNet services would be installed. I was screaming for about ten minutes "You HAVE to tell me if you want something installed and I'LL do it, you were just about to dump adware on the PC, it may not be huge but it all counts, I can get rid of it but how am I supposed to do that if you don't tell me your putting it on there to start with, I can't spend my time baby sitting, you should be downgraded to a typewriter..........." etc etc.

So he HAS had an earful over this, dont worry about that!

Anyway I digress.......... Could you tell me how to use this active directory and group policies? I know it sounds daft but I'm kinda learning my job as I do it (aka I'm horribly underqualified). Does it alter anything that this particluar pc is completely standalone besides the ADSL connection? We don't have it as part of the company workgroup and it isn't registered to a domain either.
__________________
theduck is offline  
Old 02-25-2005, 04:39 AM   #8
TSF Team Emeritus
 
Join Date: Oct 2004
Location: Omaha, The Center of the Universe
Posts: 7,633
OS: WinXP, Win2K3

My System

Basically it is under Internet Explorer in Windows Components of the Administrative Templates Folder in GP. Enable the settings and apply it to the OU that he is in. AD and GP does take a while to figure out. I did it mostly by trial and error. When you have dead time, just go through the GP templates and see what each one does. You might even find things that you could use in the future.

__________________
crazijoe is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2


All times are GMT -7. The time now is 06:42 AM.


Copyright 2001 - 2014, Tech Support Forum

Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts