I came across something recently that I found a little troublesome: 99% of my users are logging into Windows 2000 terminal servers with roaming profiles. I have my Group Policy configured so that they are not allowed to save downloads from the Internet, but if they choose the Open option instead of Save, a user is able to install a downloaded program from the Internet, without having to save it anywhere first. I have my Group Policy configured so that my users do not have the privileges to install applications, also.
Am I totally missing something here? Is there a simple policy setting to disable the Open option that I just overlooked?
This can typically be directed back to the fact that you are allowing the users to be administrators on the box, even in the Terminal Services session. If they are not administrators, they should not be able to install most of these applications. If all of these applications are add-ons, there are new controls for add-ons in the Group Policy settings for Windows XP SP2 and greater. I can't find any setting myself that can control the Open vs. Save issue that you are talking about.
This was first published in November 2005