Hello All,
Now then - this is a nasty one.
We run a windows domain with 2003 Enterprise servers and XP Pro clients. About a year ago we removed all the floppy drives from our client machines and installed some swish new USB2.0 adaptors in their place, and started issuing USB Flash Pens to staff and students. So far so good.
It came to our attention recently that students were playing some stupid game on client machines, by running a no-install-necessary standalone .exe direct from the flash pens (we use Group Policy to prevent them from installing software or saving .exe's to their network mapped home drives).
So, discovering the name of the illicit .exe, it was simple enough to use Group Policy to prevent execution of the .exe in question, but still we have a problem - What do we do to prevent them from running .exe's the name of which we don't yet know? It seems that as we stand any of our users could run a (potentially devastating) program on a networked computer and we couldn't do a thing to prevent it. So - anyone know of any .adm's I can use to prevent execution of .exe's from removable storage?
Incidentally - does anyone else see this as a potentially fatal flaw in Microsofts security? I dread to think what could happen if some clever little bugger started compiling his own .exe's...