Tech Support Forum banner
Status
Not open for further replies.

Block downloading onto Windows XP

21K views 7 replies 3 participants last post by  crazijoe 
#1 ·
Our office has a standard ADSL connection networked into 5 XP Pro PCs, each one running a copy of Norton Internet Security 2003 with latest LiveUpdate files always automatically installed.

One of the guys at work keeps downloading rubbish like MSN messenger and YIM onto one of the machines. I have repreatedly deleted them, and he just re-downloads no matter how much I tell him not to. Internet access is essential on that PC though as it's used to collect our emails and general web browsing by the staff who are not one of the 4 with access at their desk.

Quite simply I would like to know if anyone knows of a way to block all downloads onto that PC unless pre-approved. I want Windows Update and Norton LiveUpdate to continue receiving files, but I don't want him to keep downloading, especially as he always seems to pick programs riddled with malware.

Any help appreciated
 
#2 ·
You can configure the IE security settings to not allow downloads then lock the security settings in group policy. This will still allow Norton and windows to download updates.
Preventing the use of instant messaging is difficult. Simple port blocking firewalls will not be effective because clients can use common destination ports such as HTTP port 80 and FTP port 21. Most of the clients will even auto-configure themselves to use other ports than the default one if they are unable to communicate over the default port. Best practice is to lock down the machine with group policy.
 
#3 ·
Thanks for the advice and I don't believe how dim I'm about to sound but....... could you talk me through how to do that? :4-dontkno (theress no emoticon hree for shame!)

Also I nearly forgot, will Outlook Express still operate ok with this setup or will it be a simple case of going into the NIS Firewall settigns and allowing communications on ports 80 and 110?
 
#4 ·
A Better Answer...

One of the guys at work keeps downloading rubbish like MSN messenger and YIM onto one of the machines. I have repreatedly deleted them, and he just re-downloads no matter how much I tell him not to. Internet access is essential on that PC though as it's used to collect our emails and general web browsing by the staff who are not one of the 4 with access at their desk.
Personally I think that you should fire him, or have him fired. If you are responsible for the Computer Security, you should do whatever you can to get rid of him, or report him to whoever has the authority to get rid of him.

You don't have a computer problem, you have a User problem and his continued existance in your company represents an ongoing threat to the data of not only his workstation, but everyone else's as well.

A determined User can get around a lot of security barriers. Furthermore, it demoralizes all the other employees to have these types of restrictions put in place in order to control one rather stupid, willful and destructive personality. And terminating this idiot's employment will serve to underscore the importance of maintaining good computer security, particularly when the financial interests of the entire company is at stake.

At the very least, you should copy and print this out, and post it in a public place so that everyone, particularly the idiot, can see exactly what an anonymous stranger thinks of him, sight unseen.
 
#5 ·
Well my theory is he's a good employee, it's only when he has nothing to do he downloads this little things he thinks are harmless. It'd be more demoralising to a company my size (only about 25/30 of us) to take action against him as such, so if I can just get a block on that computer, I can tell everyone "it's general security. Who else in this office knows what malware even is?" as I KNOW I'm the only one who does. They won't care they only use it to look up British Standards website and other such resources.

My main concern is things getting on there without my knowledge. i don't mind users installing their own software, just as long as I know what it is and have approved it, but I work on a different floor so I can't keep an eye on that workstation like I do the others
 
#6 · (Edited)
Are you using Active Directory?
If the problem is with a single user you could just set him in a different group with more restrictions. This way it doesn't effect the other users.
To disable downloads in IE. Click on Tools, Click on Internet Options, Go to the Security tab, Click on the Custom Level button, scroll down to File Download and disable, then click OK twice. Then go into you Group Policy MMC and disable the IE security option.
I am a systems administrator for a company of around 40 workstations. We implement GP because of the ignorance and the intellegence of the users. It's not just because the person is smart enough to "try" and work around the security measures, but to keep the not so computer savy people from screwing things up. I'd say lock down the workstations. They are getting paid to work and not go shopping or IMing their friends on company computers. You could also implement a Website restriction program like webinspector. This way they can only go to websites you athorize them to go to.
Call ne a NetworkNazi but sometimes you need to experience a catastrophe of a open policy to relize that some things need to be done.
 
#7 · (Edited)
Well really I don't care overly about web surfing because there are times when any member of staff might have up to 2 hours with absolutely no work to do, and the directors policy is as long as work is done, you can spend your spare time surfing, just as long as the websites aren't adult or illegal content. There are only the 2 accounts on that PC, Technical which is the admin account that I can use to correct any problems and Users which everyone else uses as they don't have the Technical password. I will go and put on that download block now and that should hopefully solve the problems. If he wants to surf around websites he's more than welcome to but as you say it's the lack of computer savy that makes it a dangerous situation. I saw him yesterday about to click OK in an installation that was informing him that NewDotNet services would be installed. I was screaming for about ten minutes "You HAVE to tell me if you want something installed and I'LL do it, you were just about to dump adware on the PC, it may not be huge but it all counts, I can get rid of it but how am I supposed to do that if you don't tell me your putting it on there to start with, I can't spend my time baby sitting, you should be downgraded to a typewriter..........." etc etc.

So he HAS had an earful over this, dont worry about that!

Anyway I digress.......... Could you tell me how to use this active directory and group policies? I know it sounds daft but I'm kinda learning my job as I do it (aka I'm horribly underqualified). Does it alter anything that this particluar pc is completely standalone besides the ADSL connection? We don't have it as part of the company workgroup and it isn't registered to a domain either.
 
#8 ·
Basically it is under Internet Explorer in Windows Components of the Administrative Templates Folder in GP. Enable the settings and apply it to the OU that he is in. AD and GP does take a while to figure out. I did it mostly by trial and error. When you have dead time, just go through the GP templates and see what each one does. You might even find things that you could use in the future.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top