If it is not just one but several users who use a stationary computer or laptop, by necessity, it is natural that each of them can install the programs that he needs for everyday work or entertainment into the system. This can lead to unpredictable consequences that relate to a possible violation of the functionality of the operating system.
To prohibit the installation of programs in Windows XP and in systems of a rank higher than one or several users at a general level can be quite simple. However, the most logical solution, consisting in excluding users from the administrator group or increasing the level of UAC control, does not give effect in the seventh version of Windows and later modifications of the system, since they can still use the installer’s start on behalf of the administrator. Despite this, several options for setting a ban can still be applied.
Does it need a ban on installing software?
To begin, let's briefly dwell on why and why you need to introduce such prohibitions by the administrator.
Here the problem is not even that the user can install completely unnecessary software, but rather that during the installation of some applications a huge amount of so-called affiliate software can often be installed (which is often ignored by many users due to their carelessness). In addition, some viruses (for example, of an advertising nature) are very successfully masked under such applets.
In general, the installation of unnecessary software products leads to clutter of the hard drive and to a decrease in computer performance when the installed programs prescribe their own settings in the system startup and in the system registry. And without special knowledge and skills, it is extremely difficult to make the most complete removal of installed applications, and it is best not to count on Windows tools.
How to prevent the installation of programs on Windows 7 in the group policy settings?
Since we will discuss more specifically the seventh modification of the system, we will proceed from its basic settings and parameters. But the solutions given can likewise be applied in later versions of the OS. So, how to prevent the installation of programs on Windows 7 for all users at a general level, including a possible installation initiated by the applications themselves, for example, during an update? This can be done through group policies. Access to the editor is carried out by the gpedit.msc command, which is specified in the Run menu (you must check the box at the task launch point with administrator rights).
In the editor, you should use the sections of administrative templates and Windows components, and then select the installer's ban item in the list. After this, double-click to enter the editing of this parameter, set it to the on state and apply the changes.
Snap Actions
In Windows 7, access to setting prohibitions on any actions performed by a potential user of the system can also be obtained through the so-called snap-in management console (mmc).
Here, first, through the file menu, you need to choose to add a new snap-in, then select group policies in the list of available tools and add it to the list on the right with the add button. In the new window that opens, the browse button should bring up another window, go to the "Users" tab and mark the user for whom the prohibition should apply.
The snap-in code will be added via the “File” menu, it must be saved using the standard method for this, with the registered name of the administrator assigned as the name. After that, you need to repeat the above steps in the Group Policy Editor, but in this case, the installation of programs in Windows 7 will be prohibited only for the selected user.
Note: if necessary, you can create several snap-ins or set bans for all registered users.
How to prevent a user from installing Windows 7 programs using parental control settings?
To set bans, you can use another method, which, according to most experts, is the simplest and does not require special knowledge of system tools. How to prevent the installation of programs on Windows 7 and systems above using this tool? To do this, in the "Control Panel" you need to use the account management section with the choice of the parental control installation item.
Next, the user for whom the ban will be set is simply marked, and the corresponding parameter for restricting the launch of programs is activated. The system will automatically create a list of applications that can be blocked, but if the program is not found, you can specify the path to it through the browse button yourself.
But judging by the advice of experts, you need to clearly understand that the disadvantage of this technique is that you can only limit the start of installed applications, and not those that the user is going to install, although you can add Windows installers to the list if you wish.
Setting a ban in the registry
Speaking about how to prohibit the installation of programs on Windows 7 regarding the limitation of launching the applications themselves or the system installer, one can apply an equally effective method consisting in changing the registry key (regedit) that is specially responsible for this.
The section is called DisallowRun and is located along the path shown in the image above. To set a ban, you just need to create a new parameter and specify the path to the executable EXE-file, and then restart the computer device.
Note: for each application, the parameter is created separately, if necessary, you can set additional key values (2, 3, 4), but the ban itself will apply to all users who do not have administrator privileges in the system.
Brief Summary
To summarize all of the above, it seems that many have already realized that setting limits on running installed applications is the easiest, but far from the best solution. If for any reason you want to prohibit the installation of programs specifically, it is best to use group policies or the snap-in management console, which is confirmed by most computer security experts.
But actions with these editors in any case should be carried out exclusively at the entrance to the administrator account or using the appropriate rights to change the system configuration. As a third-party tool, you can use the App Locker utility, but the actions with it almost exactly repeat the management of policies and snap-ins (only the parameters are imported and not set manually), so it was not considered.