Configuring Windows Software Installation Security Tools

Whether you have dozens of computers in your office or just one in the home, there are many motivations to prevent users of your system from installing programs downloaded from the Internet or even from discs brought from home. All of you employers out there can ill-afford a viral infection on your computer network just because one of your employees is downloading pirated movies. You parents out there who closely monitor your children's media exposure probably know that programs giving access to the bloodiest games and movies out there are just a free download away. We will go over how to set user privileges in several ways in through Windows 7, and review some third party programs.

Manage Install Rights with Group Policy Settings


Select the Windows icon in the lower left corner of your screen and type ''gpedit.msc'' into the search bar. Hit Enter to open the Group Policy Editor. Once that opens, follow the path ''Computer Configurations'', then ''Administrative templates'', followed by ''Windows Components'' and finally ''Windows Installer''. In the RHS pane box you must then double-click on ''Disable windows installer''. Configure the option as per your needs. If you activate this setting, you can use the options in the Disable Windows Installer box to choose which of the three installation settings you desire.

The “Never” setting means that Windows Installer will let anyone install anything. This is the default for Windows Installer unless you reset user privileges manually.

The “For non-managed apps only” option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This should be the setting that employers should have on all employee workstations, as it will only permit your employees to install programs that have to do with their jobs.

The “Always” option indicates that Windows Installer is disabled.

Sounds easy, right? Wrong. These settings only affect programs using windows installer. Programs installing via other means or that come as fully executable files will still be able be downloaded and installed. So the only way to be completely sure is to disable the program you want to block through the registry editor. Group Policy Settings are relatively blunt software installation security tools for most users, although if you are a parent it can be useful for only granting privileges for approved programs for your kid's user accounts.

Extending Restrictions to all Non-Administrators

Once you have opened the Group Policy Editor, go to ''User Configuration'', then click ''Administrative Templates'', followed by ''Windows Components''. Scroll down and then select ''Windows Installer''. Once there you should select the option to ''Always install with elevated privileges''. This will extend the rules that you set earlier to all users without administrative privileges. Remember that this same setting is located within the ''Computer Configuration'' and the ''User Configuration" folders. For this setting to have any effect, you must have it configured on both folders properly.

Block Specific Applications

Say for example that there are programs that you wish to have access to but would rather keep your users away from. Navigate to the Group Policy Editor as directed earlier, then follow the path to ''User Configuration'' followed by ''Administrative Templates'' and finally, ''System''.

In the RHS pane, double-click ''Don’t run specified Windows applications'' and in the window which follows select ''Enabled''. Now under ''Options'' select ''Show''. In the new window, input the specific file path of the application you want blocked.

Activating this setting blocks users from running the programs you select within in this setting. Once it is activated, users cannot run programs that you add to the list of blocked applications.

Your Nuclear Option

Registry editor-run-1-600x248

You can also block installation of programs through the Registry Editor. This is the big stick among Windows software installation security tools because even if one of your users manages to get a fully executable copy of the blocked program into the system, the program will be fully blocked from operating.

Open the Registry Editor and go to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Policies\Explorer\DisallowRun

Then you must name the string value (see below) with any name and assign its value to the program you wish to the EXE file of the program you are trying to block.

For example, if you want to restrict Frostwire, then create a String value1 and set its value to frostwire.exe. If you want to restrict more programs, then simply create more String values with names 2, 3 and so on and set their values to the program’s exe.

Other Restrictive Tools

Parents will find some tools to restrict user download and installation privileges if you are using Norton internet security parental controls. You can always go to ''manage users and groups'' in the control panel and remove download privileges. There are programs like Stop Software Installation Tool and PC Restrictor that will add further levels of control. However, for most users, the included user restriction software within windows should provide an adequate level of control.

Users seeking a simpler, low-cost system will be pleased that the popular Ubuntu Linux operating system allows administrators to set download and installation privileges as each user account is created. One last note for parents, all download and installation restrictions are null if your kid figures out your password, so change them often.


  • Photo Credits:

    Author Generated Screenshots