We’re looking for a way to let users be an administrator on their machine while preventing them from installing software. We want to enforce a policy that only authorized individuals can install software when requested and approved. Is there a way to do this?
There’s no 100 percent effective way to prevent your users from installing software if they’re administrators because administrator authority allows someone to do anything if he or she is savvy enough. (See law #6 of the immutable laws of computer security at http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx.)
That said, you can use Group Policy to make it difficult for the average user to install software. You must lock down every option on the users’ desktops that would allow them to run arbitrary commands or certain programs under %winroot%. This includes disabling the command prompt, autorun on CD-ROM drives, the registry editor, access to flash drives, the Add/Remove Programs applet, and more. In addition, you could use your software restriction policy to make it harder for users to install applications by adding D:\setup.exe or D:\install.exe to the list of apps that can’t be installed.
For what it’s worth, Windows Vista will finally make it practical to withhold administrator authority from end users and therefore prevent unauthorized software installation.
