Prevent user from installing software

My grandfather is pretty tech-savy for his age and loves to send emails, use Photoshop, and browse the web. I've made his computer pretty secure by installing AdBlock and teaching him how not to download viruses but every once in a while he receives a flyer in the mail with a free trial for 'Avast antivirus'. He's the type of person who can't resist free and promptly installs it. This is pretty annoying because it slows down the computer a lot, prevents Firefox from opening, and does all sorts of other this-antivius-is-basically-a-virus things. It's also a real pain to uninstall.

My question: Can I set something up that prevents him from downloading, installing, or running an Avast installer?

I have Windows 7

Dragongeek

Posted 2017-12-25T10:39:29.730

Reputation: 469

First level of defense: install mail spam filter :-) – Bergi – 2017-12-25T20:29:48.233

12@Bergi, lol, it's not email though, it's actual physical letter mail! – Dragongeek – 2017-12-25T20:33:15.740

4This is not solving the issue... Educating him is the best solution... – Dave – 2017-12-25T20:43:27.183

Does he need to have admin rights? While many (unwanted) programs do not need admin rights, an honest antivirus program should not install without those, I guess. – Mormegil – 2017-12-25T22:31:09.167

http://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7 – Pedro Lobito – 2017-12-25T22:55:43.543

Thought about regular backups? Then you can roll back – Journeyman Geek – 2017-12-26T03:46:46.517

But what's the problem with this exact software? Of course, it's not cannon-caliber cleaner like malware, but I am using Avast! for daily protection for many years exactly because of the tiny load. The load is tiny compared to, say Kaspersky, and it doesn't interfere with decent software like games. And it's not a virus like McAffee. I deal with other people's computers often and those with Avast! are a bit protected and get less malware than those depending on no AV or using Windows AV. – Džuris – 2017-12-26T09:41:51.947

6@Džuris I'm not a fan of antivirus software in general. You can block basically all malware by using AdBlock and windows built-in defender. Specifically Avast messed with Firefox settings (homepage), installed all sorts of browser plugins, and disabled adblocker (?!). Also, it slows down my grandfather's older computer to a crawl, especially during login. – Dragongeek – 2017-12-26T09:49:04.577

People who install random stuff usually need an AV and occasional Malwarebytes scan. Windows AV is no AV and AFAIK AdBlock is just a browser addon that just hides some stuff. My Avast! never interfered with settings anywhere, he probably left some checkboxes ticked. Just like you can install loads of crap with many other tools if you don't untick the advertised stuff... – Džuris – 2017-12-26T13:53:05.807

Every time you bail him out, you validate his behavior. You're being an enabler. Have you considered not enabling him? "You're on your own this time, because if I keep cleaning up after the computer problems you create for yourself, you'll never learn." – HopelessN00b – 2017-12-26T14:58:10.907

Have you tried telling him that installing free software via mail and email adverts is the equivalent of of him ingesting a free jar of mayonnaise that's been sitting in the sun for 6 days? Additionally, check out http://www.thewindowsclub.com/how-to-prevent-users-from-installing-programs-in-windows-7

– MonkeyZeus – 2017-12-26T17:37:19.580

It should be possible to protect c:\program files and c:\program file (x86) from being modified by him. Doing so will prevent him from installing files into their default location. However, I am unsure how to do so – CSM – 2017-12-27T12:32:49.410

You can add a write filter (like UWF in Windows 10) to automatically restore all changes to a specific drive (e.g. C:\) upon reboot. I'm not adding this into my answer because I'm not seriously recommending this. It can be potentially bad. – iBug – 2017-12-27T13:22:38.867

Answers

If you want to prevent a specific software from installing, you can try importing its certificate (digital signature) to "Untrusted certificates". Then whenever he tries to install it, the UAC dialog will show "This software is untrusted" instead of prompting you to grant Administrator access to the installer program.

There is a safer way to use the installer's certificate, but may slow down the whole system by a little. You can import Avast's cert into the Group Policy, so even if it doesn't require Admin privileges, it won't run.

If you want to block all software installation, then give him a User account (without Admin privileges). It could be the only solution for blocking everything, though. You need to ensure that your grandfather doesn't need Admin privileges frequently.

If it allows, you can configure your current AV software so that it distrusts Avast's certificate, and may delete the installer immediately he downloads it. This is also a good option.

Anyway, I personally believe that educating your grandfather to learn to resist ads and those whatever free trials is the ultimate solution. Then you won't have to bother with this and that to prevent him from installing them.

iBug

Posted 2017-12-25T10:39:29.730

Reputation: 5 254

"Anyway, I personally believe that educating your grandfather to learn to resist ads and those whatever free trials is the ultimate solution." <-- maybe installing an adblocker can help a bit? – Ismael Miguel – 2017-12-26T04:24:35.310

@IsmaelMiguel It won't block physical ads.

– iBug – 2017-12-26T04:26:58.850

But may help reduce another attack vector? – Ismael Miguel – 2017-12-26T13:22:53.400

@IsmaelMiguel Unlikely. The OP has already said email isn't the case. – iBug – 2017-12-27T13:17:59.227

2@IsmaelMiguel Question states adblocker is already in place. – None – 2017-12-27T15:27:02.233

Prevent Execution of Downloaded Programs

In addition to @iBug's good suggestion to remove administrative rights from your grandfather's account (after making another account with admin rights first!) you should prevent execution of files (i.e. software installers) saved to the Downloads directory.

Do this by editing the NTFS permissions on the Downloads folder and clear the Traverse folder/execute file permission.

This will prevent any executable saved in this folder from being started. You may wish to do this to the Desktop folder as well.

The advantage of this method in combination with removing admin rights from the account is that it prevents running any installer, not just those that require admin rights. Many unwanted programs will still install if the user does not have admin rights, but if the program can't be executed in the first place, it doesn't matter.

I say Reinstate Monica

Posted 2017-12-25T10:39:29.730

Reputation: 21 477

Will this affect .msi installers? – Ismael Miguel – 2017-12-26T04:24:03.507

@IsmaelMiguel I'm not sure but according to my experience, .msi installers is likely unaffected. – iBug – 2017-12-26T09:47:53.307

.MSI installers are unfortunately not affected by removing the Execute permission. – I say Reinstate Monica – 2017-12-26T14:26:26.563

2@TwistyImpersonator Is it because .msi files are read by msiexec.exe, instead of themselves being executed, thus requiring only read permission? – iBug – 2017-12-27T13:18:35.830

1@iBug Yes. To the operating system, .MSI files aren't executable; they're just another file that needs to be opened with another application. But in this case that is an application that installs software. – I say Reinstate Monica – 2017-12-27T13:43:46.973

I've done this for both a tech-illiterate family friend (who thinks "hot_nympho_girls_movie.exe" is legitimate, even after a dozen reminders) and on laptops at work that are loaned out to students on a daily basis (we want them to install drivers and software they need, but don't want to reimage the machine at the end of each day)

We used Toolwiz Time Freeze which is a free product. You install it, set the machine up how you want it, then enable the software. When the computer is restarted, it's returned to the point at which you turned the software on. You can "unfreeze" specific files and folders (e.g. I unblocked Thunderbird's config folders so emails persisted between reboots) so you can give or take as much control as necessary.

This is probably a bit overkill, but it works great for us, because each machine we loan is "ready to go" the moment it's shut down at the end of the day. And our family friend hasn't complained about popups and toolbars mysteriously appearing.

Grayda

Posted 2017-12-25T10:39:29.730

Reputation: 443

Does this behave in a similar manner to a guest account? – Wes Toleman – 2017-12-26T10:10:32.997

"even after a dozen reminders" There comes a point where you stop enabling the stupid. – RonJohn – 2017-12-26T17:14:48.007

@WesToleman More like a guest computer. The entire machine, all guest accounts, everything but the folders you unfroze, are reset when you reboot. – Grayda – 2018-01-04T06:30:56.763