For Windows Explorer-based functions, you can deny some folder permissions by setting up a GPO. You can also modify local policies (via gpedit.msc) and enable the "Remove CD Burning features" policy under User Configuration/Administrative Templates/Windows Components/Windows Explorer as shown in the following figure.
Use GPOs to deny write privileges
To deny write privileges for third-party applications, you're likely going to need a lock down tool such as those offered by Faronics and Fortres Grand or a host-based data leakage prevention tool such as those offered by ControlGuard and Verdasys.
Extra information on GPOs and folder permissions
- Use Group Policy to secure removable storage devices
Removable devices can be deadly to a Windows network. Check out this tip series to learn how to use Group Policy to prevent devices like USB drives from destroying your network.
- Selectively set read and write permissions
Manage the read and write permissions of certain hardware devices like Bluetooth headsets and external drives with this advice from Jonathan Hassell.
- Group Policy management: Disabling CMD
You can disable CMD in Group Policy in two steps according to Wes Noonan, our Windows-based network infrastructure security design expert. In this tip, he'll tell you how to prevent your network users from enabling CMD.
- Restricting user permissions in folders
If you have a question about managing the permissions of a folder in your domain, this advice from Jonathan Hassell tells you how to set those permissions and prevent users from deleting that folder.
This was first published in July 2007