Simple executable-blocker?

I'm trying to futher secure a computer running WinXP.

It already has antivirus and is setup to use limited user accounts, so users should not (easily) be able to tamper with system files.

But I would like to protect some users against themselves, that is running .exe, ActiveX and other stuff downloaded from the internet. Basically we are talking about completely computer-illiterate users that shouldn't be able to run og install anything on their own

Problem is I want a simple solution, and software like Faronics Anti-Executable seems a bit overkill for my setup.

All I really need is some kind of white/blacklisting of execution from folders, so that people can run all apps in say: C:\Windows and C:\Program Files, but not in other dirs (like their own home directories). I really don't need to scan all files on my system with hashes etc. I rather prefer the directory-approach combined with sane NTFS permissions.

So is there a lightweight solution for my needs?

 

You may want to look at Spyware Blaster for one thing. You'll need to manually download updates about once a month or so. I am sure there are many other solutions to add to your needs as well.

http://www.javacoolsoftware.com/spywareblaster.html

Using firefox browser with no script and adblock plus may be another thing to consider.

As far as whitelisting/blacklisting execution, the only thing off the top of my head would be to consider something like Syatem Safety Monitor with some of the apps allowed/not allowed and then hide the systray icon? Not sure if that would do it or not, though.

http://www.syssafety.com/

 

At first, I thought about simply applying Software restriction policies using the Local Security Policy editor included in WinXP Pro, because you can set restrictions on directories, hashes etc.

But it seems a bit limited, and one thing I dislike is that it also blocks shortcuts, even though they point to a secure location.

Example:

Use John Doe is not allowed to run/install software, but makes a shortcut to Firefox on his desktop.

Shortcut: C:\Documents and Settings\JohnDoe\Desktop\Firefox
Application: C:\Program Files\Firefox\Firefox.exe

So even though the Firefox executable is in a safe location, the shortcut won't work because it's placed in a blacklisted directory. I think that's a bit too restrictive - after all, it's the location of the .EXE that matters.

 

ExeLockdown is a great freebie that might be what you're looking for.

http://www.horizondatasys.com/169602.ihtml

Its actually been discontinued by its company Horizon Datasys, the last version is 5.01, i don't know if you can still download it from the horizon website, i couldn't see any download option. However you should be able to find on any of the popular software sites. If you want to try it but can't find it send me a pm and i can forward you the email i recieved from horizon data when they still hosted the program.

One helpful tip is make sure you read the instructions when installing it as it is password protected by default and the instructions will give you the password.

 

The most recent version of ExeLockdown can be downloaded from this page:
http://www.padring.com/soft/Utilities/Antivirus/ExeLockdown.html

I found this program to be very unstable and had to abandon it.

 

Hello,
You can use the Group Policies and Software Restriction Policies to do just that - prevent downloads, installation of activex, executing certain files etc.
Built-in (XP Pro), free, no impact on performance.
Mrk

 

Same here.

That makes "2" of their programs that i had to drop because they were jaggedly ineffective and unstable, the other being RollbackRx which fudged my whole system and locked me out of the backups i had made with it. No matter though.

Leapfrog's FD-ISR "is" efficient and extremely reliable + safe.

If i'm not mistaken, CoreForce was designed to make very much use of those built-in restrictions/policies etc. It's just that it was a bit more heavy & slow in practice then i anticipated although the concept was very unique and solid.

 

Exelockdown never caused me any problems, it was very stable on my system. There is no noticeable performance impact in my experience, it doesn't even show up in the task manager if i remember correctly.

 

Really u need Anti-Executable. It will be easiest to use with max protection and no hassles. Just my guess.

 

Check out Winsonar. Maybe it will do what you are looking for? I have no idea if it would work under a Limited User account though...

http://digilander.libero.it/zancart/winsonar.html

 

Just remove .lnk from the designated file types.

 

In XP, you needn't worry about limited users running ActiveX controls. It's very difficult to run ActiveX controls from within a limited user account, and probably not possible with non-technical users.

To quote from Aaron Margosis' "Non-Admin" Weblog (6/15/06):