However, that said, there are things you can do to make it harder to 'run' unauthorized software. Some of that is permission setting on registry keys and folders. Sorry, but that's a key protective action. You can also use Group Policy to list only the applications that can run (I know, that's a toughie). You can use Terminal Server in application mode and associate software with user groups and specifically identify which software runs when they log on. You can use Group Policy to prevent them from running certain system features, and thus prevent them from say, installing drivers, accessing command lines, adding items to the start menu, adding shortcuts to the desktop, etc. You then must ensure that apps they need to run are listed on their start menu. Another possibility is allowing only 'signed' applications to run (use Group Policy), but then you must ensure that all applications you wish to run are properly signed.
What I am saying here is that you can restrict users and lock them down pretty well with Group Policy. You must also do things such as stop autorun, and perhaps block use of CD-ROM drives and floppy drives. You will need to spend some time configuring IE to prevent the running of scripts that may install programs and use of Java and ActiveX.
This is beginning to sound like a lot of work yes? However, once done, it can be applied network wide using Group Policy.
Do test your work before deploying.
Editor's Note: Additional resources can be found in our Group Policy Best Web Links.
This was first published in August 2002