I need to prevent clickonce installers from being run from Internet explorer. For example, google chrome is installed through a clickonce installer.
Is this possible? If so what are the options to disable it? I'm only concerned with Windows 7.
Asked
Active
Viewed 2,121 times
2
-
Is this something you want to do through Group Policies or on a per machine basis? – John Gardeniers Oct 25 '11 at 21:18
-
I don't think you can. You can disable Windows Installer in Group Policy (with or without a domain), but users can still install software using other installers. You can give a user only "Standard" rights, and they can't install a program to Program Files or use an Installer that puts components in c:\Windows, but they can install applications like FireFox and DropBox into the AppData folder. – Dom Oct 26 '11 at 00:42
-
@John Gardeniers: Either solution is acceptable. – Nathanael Oct 26 '11 at 05:59
1 Answers
1
Use Applocker.
We've implemented AppLocker with a baseline set of default rules that allow items to be run from program files, windows and some outside folders (like a custom folder for users to put portable apps). This removes the ability for clickonce junk to install as they most of the time launch from the profile.
Not only does this assist keeping clickonce off our computers and out of user's profiles...but it basically stops drive by malware in its tracks.
edusysadmin
- 536
- 2
- 8