I would like to use gpedit to lockdown all downloads, except allowed by file types like mp3, docx, pdf etc, and all new installations ( .exe, .msi, .bat etc) for non-admin users in Windows 7 (regular desktop, non-domain) without affecting installed programs, would also like to remove the option to enter admin password while in non-admin accounts. A while ago I tried this in VM, at first attempt I locked out admin account and had to create new VM. At second, I couldn't run/open installed programs in non-admin accounts. Many thanks in advance, any help is highly appreciated.
I think enabling the Guest Account is the easy way to go, to solve your problem, you cannot install programs and it also locks the user out of changing many other settings. Thats what I use on my laptop if somebody wants to use it, with a password on my admin account.
@ DAz999 thanks for the reply but in my case guest account is not an option as I wanna implement this (if i find a successful solution that is) on many infected PCs that come to me (friends & family, mostly used by kids). I'm really tired of formatting & reinstalling Win 7 + other programs every other month
Do what you have planned and they'll just complain you broke their computer because it won't do what it used to do. Been there; done that and have the scars to prove it. I eventually put them back in the config they wanted and refused to work on them any more. Since I was 2x and in some cases 4x the age of the users, I could get away with being a cantankerous old man.
Actually their parents (my friends/family) also wants lockdown as they have to bring PCs back n forth every now & then. Even now they (kids) don't have admin passwords so they can't install softwares anyway, but some how they're able to infect the PCs. So I'm thinking gpedit might be able to help in here.
Here are two links that will help I think: (Sorry not enuf post for direct links) --www--.svherald.com/content/2010/04/01/90-windows-7-vulnerabilities-eliminated-removing-admin-users --www--.mechbgon.com/srp/ You already know the benefits of limited user accounts I'm sure - buts it's good reading for the other parents. The second link talks about setting up a "default denied" software restriction policy in conjunction with limited user accounts. This basically makes the c:\windows directory (and most others) read only so a limited user cannot install software. The limited user can run programs in c:\programfiles and thats about it. The Mechbgon page is a good read for anybody who wants to increase security on their machine, and its pretty easy. Usb sticks are still a problem - because of Autorun and AutoPlay, but if you shut them down the screaming will really get loud, so the best solution there I think is to just make sure your aintivirus scans ALL files that are read and written, not just certain extensions. I use Avira configured that way - and it catches most of that. Not perfect, but it's probably the best combination of user friendly and security. Lastly, I would suggest some good drive image software - Image for Windows, Acronis, etc. After you finish a new install make a self booting reinstall image of the drive on DVD. Then if you get asked to reinstall again you just pull out your DVD image and run the restore - avoids the time of a complete reinstall. Hope that helps!
I was guessing usb sticks might have been your problem. That or the kids were installing keyloggers to get their parents passwords. But with both Software Restriction Policies (SRP) and Limited User Account (LUA) restrictions, as limited users the kids cannot install or run anything - even off usb sticks as they need the admin password. They can only run progams in c:\programfiles. They can however copy files they download to a usb stick or another drive so they can save their personal documents. If you lock out all downloads I think you would be blocking the download of materials they would use for school reports, and parents would not be allowed to download from admin accounts, which they won't like. So that might be too restrictive to users. Perhaps play with your own machine set up this way for a couple of days. Do your surfing on the limited user account with LUA and SRP together and see what problems the setup gives you, if any. I think you can probably allow downloads cause they won't be able to install what they download. Anyway, glad you are getting somewhere!
@ dewot thanks again... Earlier I forgot to mention that lately I've been disabling ALL auto play options and no one has complained about it so that would kinda help with USBs... Now regarding downloads I was thinking if I can block executables but well even without it, as you said, LUA with SRP will help alot. A while ago when Win 7 beta came out I played with gpedit but couldn't made it work. The reason I started searching again for gpedit solution is that recently a friend's PC got virus and next day they received a call with a demand for a ransom to decrypt their docs, luckily they had everything on the external drive.
@ acrsn reimage is a good option and I've used Clonezilla few times but lately I'm gettin alott of PCs for one or another reason and to keep track of tons of image is kinda problem... is it possible to create hardware independent image, like without graphics etc drivers but with all other stuff like flash, java, avira etc, which can be used on every PC... on the subject of infections, now I'm no security expert but was thinking to test "LUA with SRP setup" against actual virus on a test machine, i guess it wouldn't be hard to find a virus by visiting some bogus sites... Though I saw an option to disable Windows installer in gpedit but that would block the things that uses it, so that wouldn't help at all, would love to know what mechanism all these virus stuff uses "to get installed"...
by "would love to know what mechanism all these virus stuff uses "to get installed"... what I meant was how they are able to "run" Let's say when we block following file types from being able to "run/execute", what are the other types that can execute itself, obviously they can't get installed in Linux or BSD (in their present/Windows form, not modified to run in Linux) so there has to be some mechanism that enables them to get installed. default in gpedit > SRP > Designated File Types: ADE, ADP, BAS, BAT, CHM, CMD, COM, CPL, CRT, EXE, HLP, HTA, INF, INS, ISP, MDB, MSC, MSI, MSP, MST, OCX, PCD, PIF, REG, SCR, SHS, URL, VB, WSC plus some other types: DLL, Download, PAF, RAR, WS, WSF