Prevent users from installing firefox?

[Batman5177]

Hi everyone,

Our company develops our own in-house software, which is browser based. Since the development team is small, they have decided only to support Internet Explorer 7. I have already upgraded all computers (Windows XP) to IE7, but I have found out that users have been installing and using Firefox, even though they don't have local admin rights. Since they can't install it in the Program Files folder, they just create the program folder on the desktop. The development team is refusing to get their software working for Firefox, since it works well with IE7. This decision is not open to discussion, and I have no bearing on this decision whatsoever. My only task is to make sure everyone is using IE7.

cliffs: How can I prevent users from installing Firefox?

Thanks in advance.

 

[irishScott]

Lol I don't think you can. My HS tried the same thing with me. At first I created a new folder and installed it there. So they blocked firefox.exe from running. I changed the name of the exe file. Eventually they blocked every file in Firefox from running from the local drive, and prevented the installer from running. I installed in onto my USB flash drive and ran it from there. Since it left no temp files on their network, they never knew I was running it to my knowledge.

 

[nsafreak]

Originally posted by: Batman5177
Hi everyone,

Our company develops our own in-house software, which is browser based. Since the development team is small, they have decided only to support Internet Explorer 7. I have already upgraded all computers (Windows XP) to IE7, but I have found out that users have been installing and using Firefox, even though they don't have local admin rights. Since they can't install it in the Program Files folder, they just create the program folder on the desktop. The development team is refusing to get their software working for Firefox, since it works well with IE7. This decision is not open to discussion, and I have no bearing on this decision whatsoever. My only task is to make sure everyone is using IE7.

cliffs: How can I prevent users from installing Firefox?

Thanks in advance.

I'm sorry but you have one lazy ass development team even if it is a small department if they refuse to support Firefox. If anything FireFox complies closer to WC3 standards than IE7 does although the one that complies closest I believe goes to Opera. Good luck trying to keep everybody from using FireFox. As irishScott demonstrated it is all too easy to get around restrictions put in place unless you want to completely lock down each and every machine.

 

[traderonline]

who would ever think of preventing firefox lol.

 

[Lemon law]

To batman5177---you may have a goal but its stupid and luddite---you can fence yourself in but can't fence the world out---if you do browser stuff---ignoring the existence of Firefox and other alternative browsers is just about the stupidest thing I ever heard of.---which can only lead to your companies development of lame technologies guaranteed to flop in the marketplace.

Perhaps you need to do a review of betamax.

 

[GundamSonicZeroX]

While, I'm against the prevention of FF installs, I have to help an ATer. Is there anyway you can keep users from creating their own folders? That's the only way I can think of.

 

[nsafreak]

Originally posted by: GundamSonicZeroX
While, I'm against the prevention of FF installs, I have to help an ATer. Is there anyway you can keep users from creating their own folders? That's the only way I can think of.

Even if he prevents folder creation he would also have to turn off the USB ports on each computer. There's a good chance that if he turns off folder creation it'll break a LOT of stuff.

 

[blurredvision]

Originally posted by: Lemon law
ignoring the existence of Firefox and other alternative browsers is just about the stupidest thing I ever heard of

Ignoring the fact that the OP clearly stated this is only for internal use, then arguing your typical Firefox fanboy bias bullsh|t is probably the stupidest thing I've ever seen.

 

[GundamSonicZeroX]

Originally posted by: nsafreak

Originally posted by: GundamSonicZeroX
While, I'm against the prevention of FF installs, I have to help an ATer. Is there anyway you can keep users from creating their own folders? That's the only way I can think of.

Even if he prevents folder creation he would also have to turn off the USB ports on each computer. There's a good chance that if he turns off folder creation it'll break a LOT of stuff.

That's doable. I remember a teacher at my old school that would create just enough folders to get our work done. I imagine it can be done over there.

 

[Batman5177]

Thanks everyone for your input. From what I can see as Helpdesk support, people are reporting that pages and data doesn't load correctly, but there may be other underlying problems also. Since the development team is small (3 people), they have limited QA time to support multiple browsers. This is a nonprofit company also, so hiring more developers and testers is not an option. So while people on the outside may think they are "lazy," it is more like they are already overworked. Anyways, the decision to go with IE7 has already been made, and there is nothing I can say to change their minds.

I could tell users not to install Firefox, but this would be a never-ending problem. New employees, or current ones that just don't listen, will install Firefox anyways. Then the next user of that workstation will be calling me saying that the program doesn't work. So I'll uninstall it again and the cycle would start over again. Please keep in mind that I am not one of the developers, only the Helpdesk.

I am also aware of "Firefox Portable," but at least that doesn't affect the next user who logs onto that workstation.

 

[Batman5177]

I don't need to turn off USB ports on each computer. Since each user logs on as a guest, their USB drive won't be installed because they don't have local admin access to install new hardware.

And thank you blurredvision for noticing that is it an internal application!

 

[slpaulson]

Would it be difficult to make your webpage detect what browser a user is using, and redirect to a page that says the website only works in IE if it detects something other than IE?

 

[MrChad]

You should be able to block the FireFox executable from running using group policy.

 

[mechBgon]

cliffs: How can I prevent users from installing Firefox?
Thanks in advance.

Software Restriction Policy, set to Disallowed mode. End. Of. Problem.

(this will keep them from running other unauthorized stuff, too)

 

[namelessentity]

Originally posted by: cRazYdood
Would it be difficult to make your webpage detect what browser a user is using, and redirect to a page that says the website only works in IE if it detects something other than IE?

Exactly what I was going to say. Where I work if you try to access anything on the intranet through another browser it just tells you that everything is designed for IE. You could go a step further and put something in that says "This software is not compatible with Firefox, and as a reminder it is a serious violation of company policy to install outside software on this workstation." That should scare off any novice, they'll assume they're being watched.

 

[Batman5177]

I have tried using group policy to block firefox.exe, but after I renamed it to firefox2.exe, it still loaded.

My reason, as the desktop support side, for likeing IE7 (aside from the developers' reasons), is that my WSUS server automatically installs security updates for IE7, but I still see some Firefox installations that are still on version 0.7. WSUS doesn't support third-party apps, so I see it as another security hole.

 

[mechBgon]

Originally posted by: Batman5177
I have tried using group policy to block firefox.exe, but after I renamed it to firefox2.exe, it still loaded.

My reason, as the desktop support side, for likeing IE7 (aside from the developers' reasons), is that my WSUS server automatically installs security updates for IE7, but I still see some Firefox installations that are still on version 0.7. WSUS doesn't support third-party apps, so I see it as another security hole.

Use Software Restriction Policy in Disallowed mode. They can rename FireFox anything they want, and SRP will still slap it down because it's a .EXE file that they're attempting to run from a location (namely, someplace inside their profile, such as their Desktop) that is not in the Unrestricted list.

And as Restricted Users, they cannot put the stuff in the locations that are in the Unrestricted list. Gotcha. Try it, this is what it's there for. This isn't the only good reason to use a SRP, either.

 

[Batman5177]

Software Restriction Policy looks great! I will try it on monday. Thank you to everyone for your ideas.

 

[mechBgon]

Sure thing By the way, if your domain has login scripts, add a Path Rule that allows them to be run from their network share. As my makeshift page mentions, the Event Viewer logs will show you what's the hangup, if there are problems, so you can add rules to accomodate special cases. Microsoft has better info: Using Software Restriction Policies to Protect Against Unauthorized Software (for Vista in this case, but still useful).

 

[Batman5177]

mechBgon, I see on your website that the "user" folder can only save new files in that folder. How did you set up the policy on that folder? Did you have to add that folder as an addition rule, and what security level does it have?

In your example of UT2004Demo folder, the user has unrestricted access. Will they be able to save and run executeables in that folder? If they put Firefoxsetup.exe in that folder and installed it in there also, would Firefox run?

 

[mechBgon]

Originally posted by: Batman5177
mechBgon, I see on your website that the "user" folder can only save new files in that folder. How did you set up the policy on that folder? Is it set to "Basic User"?

Actually I didn't set up anything special on the C:\Documents and Settings\user folder. It's just a normal folder like everyone's user account already has, there's nothing special to do there.

Also, does this prevent users from saving bookmarks and files to the desktop?

They can save stuff on their desktop, but if it's one of the filetypes in the Designated File Types list, it won't be permitted to execute. Besides LNK, the other one you may need to exempt is .MDB (Microsoft Access database filetype), do a little test if your users run Access.

 

[Batman5177]

I guess I was editing my post as you were replying to it! Thanks for being so quick on it though!

Here's what I added:

In your example of UT2004Demo folder, the user has unrestricted access. Will they be able to save and run executeables in that folder? If they put Firefoxsetup.exe in that folder and installed it in there also, would Firefox run?

 

[Markbnj]

Originally posted by: blurredvision

Originally posted by: Lemon law
ignoring the existence of Firefox and other alternative browsers is just about the stupidest thing I ever heard of

Ignoring the fact that the OP clearly stated this is only for internal use, then arguing your typical Firefox fanboy bias bullsh|t is probably the stupidest thing I've ever seen.

QFT. Man, get off this guy's back. You guys who think it shouldn't be any trouble to make their corporate intranet software run across multiple browsers must not have ever worked in an IT department, and you definitely don't know what the software is doing, or what technologies it uses that are available in a homogenous environment, but not cross-browser.

Aside from that, how many corporations out there, of any size and complexity, don't try to control what users have on their desktops? Wrong or right, it certainly isn't the OPs battle to fight, and fighting it is probably a good way to either lose your job or get permanently assigned to the QA team for some obscure app that nobody uses.

To the OP: why not simply detect the browser on entry to the application, and inform your users that they cannot access the application from that browser? If it is more a matter of trying to get policy enforcement over desktop config., then there are expert sysadmins here who can help you better than I can.

 

[Batman5177]

Markbnj, you hit the nail right on the head! I defintely dont want to be the assigned as a QA tester or having the task of reworking all the code to work with multiple browsers. And it's not my place to be telling the dev team what they should be doing. I will suggest to them browser checking though.

I still have my own desktop support side issue where an out-of-date Firefox is a security hole.

Originally posted by: Batman5177

My reason, as the desktop support side, for likeing IE7 (aside from the developers' reasons), is that my WSUS server automatically installs security updates for IE7, but I still see some Firefox installations that are still on version 0.7. WSUS doesn't support third-party apps, so I see it as another security hole.

 

[sandorski]

Send out a Memo: Finding Firfox on your system will result in much pain and suffering!!!*******IOW, don't install it or else!!!!*******

Can't you just limit their accounts to not be able to Install anything?