Hello All!

I've been on the bleepingcomputer site for some time but finally created an account

Because of the nature of the software we use at work all workstation users have to be a member of the Administrator group to use it. As a result, the guys in the back have a nack for downloading bad stuff and removing the sunshine from my day

Anyone have any suggestions on how I can limit what they can do (prevent malware, spyware, downloading of bs...ect) while they have the Admin rights?

The workstations are all custom built with Windows XP Pro SP2

There is the main Admin account and they log in with a user account thats part of the Admin group.

Hi jr, so are they admins on there own PCs or admins on the Domain? What is the software that requires a admin account?

With some adminstrative programs you can control all users rights.
Search around.

Also, find out what domains they are downloading this malicious software from. Block access to the site for all users.
if it keeps happenign try and track down the sites. It might be a pain but if you can't find software that will help you control rights.

Just a thought

Hi jr788,

Use of a HOSTS file would help, I think... something like this one maybe? Also, what about SpywareBlaster. This prevents certain spyware from installing in the first place...

~VirtueOfPanda~

Thanks for the replies

The workstations have Admin rights on the PC accounts but not the Domain.
The software is Snapon ShopKey 5 & Management (Service Writer)

ShopKey has user rights options, but that only works within the program & won't help with the things they get on the internet.

I have McAfee AV & SpywareBlaster on it (I just downloaded the MS Defender also). It appears this last infection came from someone downloading a key generator for either Windows of MS Office

I enabled the content blocker in Internet Explorer, but it seems most pages don't have ratings so it blocks just about everything. I'm sure they go to porn sites (mechanics are dirty boys lol) and that's were a lot of hazards come from.

Someone has also installed LimeWire in lou of a radio, could this be a potential problem also?

It all depends on what they download. I would advise them to only download music on the MP3 or M4A format.

WMA files can be dangerous as they can cause popups and other malware issues. If you're interested on reading about the dangers of WMA files downloaded from P2P I suggest you read Risk Your PC's Health For A Song?

Also I would block them from downloading certain file extentions from LimeWire. I reccomend blocking WMA, EXE, ZIP, RAR, WMV or any other zipped file you know of. Get some info on how here

Thanks for all the help

I'll be following the LimeWire tips.

What does anyone think about disabling the Windows Installer through Admin Policies (gpedit.msc). They have Admin rights and could change it back, but I seriously doubt anyone using the PC is savvy enough to figure out how. Then, when I need to do system updates I could just enable it and disable it again when I'm done. Or would this cause more problems than it's worth?

p.s. in case ne ones wondering about my edit, i'm having problems with my "e"s today, I typed system as systme, done as doen, and cause as cause, LOL, sorry, I'm a dork and find it funny

ppss. I give up, i can't even type my edit right

That would be up to you but some programs don't use Windows Installer to install. Which can be a problem because some malware I know of does not use MS installer.

I'd give the people who work with you a warning. More or less a threat: any more porn or malware and there will be no more admin rights. This would be a last resort of corse but why should your day be runined because of their stupid mistakes ehh?

In cases like limiting users' actions, I would recommend "Security Administrator v11.5". It has a wide variety of choices to limit actions taken by a user like editing stuffs, downloading things, etc.