Hello, I am trying to fix a problem that my friend is having at he's work. The problem is none of the computer have administrator privilages, which is normal. But the anti-virus can't update it definition files, unless it open windows installer. But if we enable windows installer, then people on the network can install what they want on there computers, and we don't want that. Is there a way to cure this problem.

Are you in charge of "security"?...........contact your admin or manager. Are you trying to do work that you're not going get paid for? Everyone wants to be the star of a their system.
In low assurance environments, AV is a good thing... but once you lock the systems down to providing exactly the rights your users require. You're ok.

Normal users in a higher assurance environment should not ever be allowed to make changes to their system without going through proper change control channels. In fact at my work, every single desktop system is set up in the exact same manner, and users are only allowed to modify their profiles.

Many of the client applications can only be launched as reduced privilege processes, permissions are tightly controlled, again with the point of only allowing users access to the applications they need as defined by their role and to the internal data as defined by that same role definition.

This is the real problem, most security teams have no clue what their users need, and how to effectively support business needs... consequently to avoid calls to to tech support they give their users way too much rope. This would be a low assurance environment, and prime for AV controls.

Hello, I once tried to update my AVG via the AVG antivirus program itself. And I couldn't. Can't connect directly to the AVG update source.

Probably because some servers filter the connection. Or thought it was dangerous to allow such "remote" connections directly.

As the computer is under a government department...

The solution for my case was this : I downloaded the defination file, and when I check for updates... i retrieve it from my download's folder.
And it worked. Hope this helps to give you some ideas.

Although its rather stupid to be so manual in updating anti virus programs.

However, our department's Norton AntiVirus program can run its live update! Don't know why... any ideas?

That is a pretty good idea. We've been looking into using Restricted User accounts as well, and the biggest hurdle is around accounting software. We couldn't even get it to work properly when we tried Power User accounts. So I was thinking, maybe an Updates folder like yours, and the Users account would have full admin rights to it. But then there is the issue with all the different services...

The reason your Norton worked, is because it uses several services to manage the software, and those services are given Local System privelages.