To control installs from the Internet you must configure the zone settings for Internet Explorer. These can be adjusted from the Internet Options selection from the Tools menu. When you do this, you are modifying the Windows registry. However, to effect changes for specific users or for many users automatically, it is much more efficient to make changes to the registry using Group Policy, writing a script to modify the registry or directly editing it. Please be aware that doing so without proper knowledge, caution and testing can damage the operating system. While you are at it, don't forget to add settings to prevent users from accessing the Internet Options areas and changing things back. Do prevent users from being administrators on their own machines, as they can then directly edit the registry themselves and undo your work.
No automated method provides all of the choices you might want, so please read the article Description of Internet Explorer security zone registry settings. In this article, you'll find information about where to make changes (HKLU/Software/Microsoft/Windows/Current Version/Internet/Settings/Zone), which zone represents the Internet zone (it's 3) and the specific values to add or edit. For example, 1803 controls File download (set it to 3 to disable, 0 to enable), and 1800 is installation of desktop items.
Group Policy Administrative template settings can be used to restrict user access to Internet Options, but you must realize that restricting access to Internet Options via Windows ComponentsInternet ExplorerBrower Menus and then selecting the Tools Menu: Disable Internet Options setting will not keep users from changing them through the Control Panel. You must also configure the Internet ExplorerInternet Control Panel settings in Administrative Templates and disable access to each options page.
This was first published in September 2004