Prohibit installation of programs in XP

 

AboutXPDisable Installation

Setting Method: 1. Right-click my computer, choose manage> local user and group> User> administrator> set password. 2. view the attributes of other users in sequence-affiliated to the tag-if there are administrator or administrators, delete it -- click Add again -- select advanced in the pop-up dialog box -- search now -- select Users -- OK 3. Add a new user so that the company can use it to log on to the computer, be sure not to grant the administrator or administrators permissions, that is, they do not belong to the two. (Users permission by default) 4. log on with a new user and add shortcuts for common software to the desktop. If you need to use an administrator to install the program in the future, the administrator is generally not displayed on the welcome page. You need to press Ctrl + Alt + Del twice on the welcome page to bring up the login window, you must manually enter the user name and password to log on.

How To Disable Software Installation

Control Panel -- Administrative Tools -- local security policies -- Software Restriction Policies (if this is the first time you use the Software Restriction Policies, right-click "Software Restriction Policies" and choose "create new policies") -- other rules, create a "hash rule" in the window on the right. In the displayed dialog box, click "Browse" in the "New hash" dialog box. Find the QQ installation directory and click "qq.exe ", the security level is not allowed. But a person with a little understanding can crack it.

The above method is feasible.

The simplest method is to create a restricted user. It is difficult to create other users and is not recommended, such as using GPEDIT. msc.

Disable SETUP. EXE and so on

The procedure is as follows:

1. First, log on to WinXP as the system Administrator.

2. Click the "Start> Control Panel" command and double-click the "User Account" icon in the "control panel" window.

3. in the displayed window task list, click "Create a new user" and enter a name in the text box of the wizard window. The name will appear on the welcome screen or start menu, click "Next.

4. The "Computer Administrator" and "restricted" permissions are provided in the new screen. Click "restricted" and then click "create account.

In addition, in the task list window, you can change the name and delete the created account.

The second reason is that you may not be careful when installing the software. Only the Administrator account can be used, and other users have no permission.

If it is SP2, you can directly grant permissions to the Program Installation File

Modify the registry:

In HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ Installer

Add two keys

Name: disableuserinstalltype REG_DWORD value 0x00000002 (2)

Name: DisableUserInstalls_Intelset_undo type REG_DWORD value 0x062ce6f0 (103606000)

In this way, you can

To allow installation, you only need

The value of the name disableuserinstils type REG_DWORD 0x00000002 (2) is changed to 0x00000000 (0 ).

1. Run gpeditmsc to open the Group Policy. Open the windows component in the management template. There is a windows installation service. Take a look at the content on the right. The specific method is to run gpeditmsc-& gt; computer Configuration-& gt; Management Templates-& gt; windows Components-& gt; ms installer-& gt; Enable disable ms installer and disable user installation"

Double-click "Disable Windows Installer" in the window on the right to enable Windows Installer. Click "OK" to enable Windows Installer:

Disable "Add/delete programs" and then enable the following policy: console-user configuration-management template-System "-" run only licensed Windows Applications ", in the "allowed applications list", "add applications that are allowed to run and restrict the programs that you run ."

You can set limits in the Group Policy, but as long as the user can enter the Group Policy, he can still install the file. After the method is set to enter the Group Policy, go to user permission settings and find the installation file to delete all user names.

Ii. Super Rabbit

3. on my computer ---- right-click and choose manage ----- open services and services in applications ------ find Windows Installer on the right ----- double-click to open, change the start type to disabled, so that most of the installation programs cannot be installed, because it will disable all the installation programs that need to call windows installer, especially those * msi cannot be installed.

4. Create an account in the user account on the control panel and do not grant the installation permission. When you want to install the account, right-click it and choose "run this installer with the Administrator account, some programs that want to modify system files also use this method to run the Administrator account:

Gpedit. msc-Computer Configuration-WINDOWS Settings-Security Settings-user permission assignment the following loader and uninstall programs allow Trust to delegate

5. Run msconfig and disable it directly. Except 2000, it cannot be used directly.

6. Set User Permissions

Encrypt the administrator USER name. Create a USER in the USER group so that they can use this account to log on to the installation directory and cannot use enable multi-USER logon. Set permissions for each USER, it is best to install the program only when the Administrator is authorized. If you want to use the 2000, XP, or 2003 system, convert the disk format to the NTFS format and set it to the user, set permissions for each user to disable the Windows Installer Service... It seems yes .. Start -- & gt; control panel -- & gt; management tool -- & gt; service -- & gt; Windows Installer -- & gt; properties -- & gt; Disabled.

To enable a group policy, choose Start> RUN> GPEDIT> User Configuration> WINDOW component> Terminal Services> windows install. You can select multiple options as needed, if you have sufficient permissions, you can selectItem 1"Always install with high privileges. In this case, note that this setting appears in the" Computer Configuration "and" user configuration "folders. To make this setting take effect, you must enable it in both folders.

 Item 2: Search order, which indicates the sequence in which Windows Installer searches for the installation files. By default, Windows Installer first searches for the network, then removable media (floppy disk, CD-ROM, or DVD), and then Internet (URL ). To change the search order, enable this setting, and enter the letters that represent the source of each file in the order you want Windows Installer to search. :

-- "N" indicates the network;

-- "M" indicates the media;

-- "U" indicates the URL or Internet.

To exclude a file source, omit or delete letters representing that source type

Item 3: Disable rollback to Prevent Windows Installer from generating or saving the files required to reverse the interrupted or unsuccessful installation.

This setting prevents Windows Installer from recording the system status and the order of changes made during installation. It also prevents Windows Installer from retaining files to be deleted later. The result is that if the installation is not completed, Windows Installer cannot restore the computer to its original state.

This setting is designed to reduce the amount of temporary disk space required by the installer. At the same time, this setting also prevents users who are eager to use the interrupted installation to collect data on the computer's internal status or search for security system files. However, Incomplete installation may cause the system or program to fail, unless necessary, do not use this setting.

This setting appears in the "Computer Configuration" and "user configuration" folders. This setting is enabled no matter which one of the two folders is enabled (even if it is obviously disabled in another folder.

Item 4: Prevents any installation from removable media. It intuitively means that it cannot be installed with a soft drive or an optical drive to Prevent Users From Installing programs from removable media.

If you try to install the function from removable media, such as CD-ROM, floppy disk, or DVD, the message appears, claiming that the function is not found.

This setting applies even if the installation is run in the user's security context.

If this setting is disabled or not configured, you can install it from removable media only when the installation is in the user's own security context; however, when the installation is run with high system privileges (such as the installation provided on the desktop or displayed in "Add/delete programs"), only the system administrator can use removable media.

How can we keep the network open?---No tornado, express, etc.P2PDownload Software

With the continuous development of modern network technology, information sharing is greatly facilitated. people use the Internet to download and share resources for learning. enterprise users use the Internet to work, such as video conferences and online conferences.

With a wide range of network sharing resources, download tools have emerged. Currently, mainstream Download Software in China includes Internet Express, QQ tornado, and thunder. These P2P tools occupy a large amount of bandwidth during download, resulting in slow speed of the LAN and frequent network disconnection. Seriously affects the normal use of online meetings, video conferences, and other networks. Because some Network Resources contain virus code, after downloading it, viruses attack the LAN, which brings great harm to LAN users. At the same time, the use of P2P download tools during work hours reduces the work efficiency and quality of employees, and affects the overall efficiency of enterprises.

In the LAN of enterprises and institutions, effective control of P2P software such as thunder, Internet Express, and QQ cyclone has become an important aspect of network management. These P2P software uses a large number of open-source P2P protocols and supports variable ports. Meanwhile, these P2P tool servers have a large number of IP addresses and the de-centralization trend is obvious. During the transmission process, it also encrypts the content and uses fuzzy algorithms to mask its features. Thus, how to effectively manage P2P software becomes a challenge.

To this end, I wrote this article specifically to tell you some basic knowledge and methods to prevent local area network downloads. You are also welcome to participate in the discussion and share the new technologies and methods you know so that you can have a better choice.

Hardware Management:

In terms of hardware, the router at the network egress is used to control the computer access to the internet in the LAN. Because it is controlled based on hardware devices, it is currently the most thorough and effective method.

Hardware Management requires the Administrator account to log on to the vro and edit forwarding rules to restrict hosts. The principle is to use the IP address filtering function of the router to restrict certain ports of a computer with an IP address or IP address segment from connecting to the Internet.

Advantages: it is safe and efficient, and does not seriously affect the overall network speed.

Disadvantage: inflexible and complicated parameter settings. The complexity lies in the editing of entries. It requires users to have a certain understanding of the basic network and port rules. improper use may cause network paralysis. In some cases, you need to edit several entries to restrict the Internet access of an IP address, which requires a high level of user knowledge.

The following uses TP-LINK as an example to introduce the main parameters in Hardware Management Configuration:

To use the IP address filtering function, you must first enable the firewall and then enable the IP address filtering function. You can add a specified IP address or CIDR block here.

LAN port: the port address used by the local machine to send data to the Internet. To disable express trains and QQ tornado, disable UDP ports:, 10002, 10022-10024. only Disabling these ports does not completely prohibit downloading express trains. Because express trains will be downloaded through servers, you must disable the server address of express trains in the following Wan configuration.

Effective time: this parameter is composed of four digits. The first two represent hours, and the last two represent minutes. For example, 0900 indicates AM.

Wan IP Address: You can specify a wan ip address or CIDR block to prohibit connection. For example, the QQ server address is 202.104.128.233.

Wan port: this parameter disables the connection to the wan ip address port.

Protocol: TCP, UDP, and ALL are supported. Generally, ALL is selected.

Pass: there are two options: Allow pass and deny pass, you can set as needed.

Status: there are two options: effective and effective, set whether the entry is effective.

If no value is set for the lan ip address, LAN port, Wan IP address, and Wan port, all IP addresses and ports are displayed.

Software management:

The software uses traffic control software to monitor and control the download behaviors of computers in the LAN. The success rate of this method depends on the software perfection and execution efficiency.

Today, there are a lot of software that restrict download on the Internet. They can all independently control the Internet access behavior of a computer, such as blocking login to QQ and access to a specified website, restrict BT, HTTP download, and traffic control.

However, the difference lies in the bypass listening mode and ARP spoofing mode.

ARP spoofing:

The advantage is that any machine in the LAN Using ARP spoofing technology can be used as the monitoring end, without special configuration, which is relatively simple to use.

The disadvantage is that the network speed is slow. If two people in the LAN use ARP spoofing at the same time, the LAN will crash.

Bypass listening mode:

I used super sniffing dog (Official Website: www.imfirewall.com) as an example to show how it controls computers. First, let's take a look at the monitoring principles of super sniffing dogs. Super sniffing adopts the bypass listening method. The bypass monitoring method is to use the port image for monitoring. A port image copies packets from a specified port (source port) to another port (destination port). The destination port is connected to the data monitoring device, you can use these data detection devices to analyze packets copied to the destination port for network monitoring and troubleshooting.

Advantage: it does not affect the network speed.

Disadvantage: You need to install a vswitch or vro with the image function. You need to configure the Image Port.

After understanding the principles, we will demonstrate how to use super sniffing dogs for network monitoring.

The first step is to install the software. After the installation is complete, start the super sniffing dog.

Before monitoring, You need to configure the relevant parameters, select the IP address to be monitored, select prohibit P2P download, prohibit Express, QQ tornado option. If no configuration is made, you can only monitor the traffic of an IP address in real time.

After the configuration is complete, the monitored computer cannot use P2P software such as tornado and express for download.

This software can also control QQ login, prohibit access to the specified website, and other features, but this article focuses on Anti-P2P download, so other features will not be described in detail.

To sum up, Software and Hardware Management has its own advantages and disadvantages. You need to use different management methods as needed.

How to disable download

The method is as follows:

1) In "start -- run", type "gpedit. msc open "Group Policy", expand in sequence: user configuration-management template-system (Click and select "system ") -- In the right window, find "do not run the specified windows application", double-click it, and click "started" in the displayed window ", click "show"> "add". In the "add project" dialog box that appears, enter a program that is not running (the program for downloading the software), click "OK", and click "OK ", click the "application" button to launch du rated products.

2) prohibit the use of IE to download files:

Open the Registry Editor, find HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Setting \ Zone \ 3, find the Dword Value 1803 on the right, and double-click to change it to 3. Restart IE to see if the download is sufficient. To cancel the limit, you only need to restore the value of Dword to 0.

3) disable running of executable files downloaded by IE:

1. Run Temporary Folder files

In the local security settings-Software Restriction Policy-other settings, the following prohibitions are added:

C: \ Documents ents and Settings \ Administrator \ Local Settings \ Temporary Internet Files \ *. com

C: \ Documents ents and Settings \ Administrator \ Local Settings \ Temporary Internet Files \ *. exe

These two types of files are run to prevent executable files downloaded from the IE background from running.

2. disable file running in the cache area

Save the following code as the reg file, double-click the import, and restart the machine:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER \ Software \ Miscosoft \ Windows \ CurrentVersion \ Group Policy Objects \ {users} Machine \ Software \ Policies \ Microsoft \ Windows \ Safer \ CodeIdentifiers \ 0 \ Paths \ {f5c7901a-3e81-444b-850e-74d60ca3f6d8}]

"LastModified" = hex (B):, 04, 95, 5f, 35, 96, c8, 01

"Description" = ""

"SaferFlags" = dword: 00000000

"ItemData" = "C: \ Documents ents and Settings \ Administrator \ Local Settings \ Temporary Internet Files \ Content. IE5 \ ** \ *. exe"

This prevents the exe file from running from the cache directory of IE to immune most web Trojans.

Four methods to prevent Software downloading

Method 1:

To prohibit download, you must first Uninstall all download tools from your computer.

Method 2:

Step for prohibiting IE from downloading files: Enter "regedit. msc "open the registry, expand HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 3, and find the DWord Value 1803 on the right, change the key value to 3. Restart IE to see if it can be downloaded.

Method 3:

To prohibit IE download, you can modify it in [start-run input "gpedit. msc"]. You can also modify it back in the same way. In this case, it cannot be banned. Of course, you may want to disable "running ".

How to disable running:

1. Enter "gpetid. msc, open the Group Policy-Local Computer Policy-user configuration-management template-taskbar and Start Menu, and find "delete run menu from Start Menu" on the right ", double-click and select "started ".

2. Enter "regedit" In start-run to open the registry, expand and find HKEY_CURRENT_USER \ Software_Microsoft \ Windows \ CurrentVersion \ Policies \ Exporer, find NoRun on the right, and double-click to open the registry, modify NoRun to 1. if no NoRun is found, right-click the blank area on the right, select new -- "DWORD", enter the name "NoRun", and modify it to 1 after double-clicking it.

How to hide running:

Right-click the Start Menu-properties-classic Start Menu-custom (right side), and remove the advanced [start] menu option-display the check box before running. In this way, you can use the shortcut key Windows + R to pop up the running window.

Can I control the permissions of the entire registry after the program to be installed is completed and only read data cannot be written? Is this feasible?

1. Run Group Policy --- gpedit. msc --- manage template --- Windows component ---- Windows Installer --- prohibit user installation -- properties --- enabled --- Disable User Installation

2. Right-click my computer-manage (or open the service in the management tool)-service-Windows Instaaler-change to disabled.

I tried both of the above. In group policy, the software can be installed in addition to running the specified program. The network is not credible at all. My system is XP.

I wonder whether a feasible method can be provided. The same user (administrator), but the effect is that you can not install any software except for unbinding the restrictions.

Running secpol. msc directly jumps out of the windows software security policy window... it's not a command line... it's a window setting ..

Secpol. msc --- & gt; Right-click the Software Restriction Policy ---- & gt; Add a new software policy ---- & gt; right-click other rules --- & gt; New Path rule --- & gt; select the directory --- & gt; for example, if you want to restrict the direct opening of the exe file in IE, you can set that the IE directory is not allowed, if you do not allow software installation, you can also set the temporary directory of the system to prohibit the installation ....

If you want to disable the running of an exe with a fixed name, you can also do this ..www.2cto.com.

Reg add "HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ QQ.exe"/v debugger/t reg_sz/d debugfile.exe/f

If you change the name of qq.exe, you can run it again.