Prevent user from installing software

If you want to prevent a specific software from installing, you can try importing its certificate (digital signature) to "Untrusted certificates". Then whenever he tries to install it, the UAC dialog will show "This software is untrusted" instead of prompting you to grant Administrator access to the installer program.

There is a safer way to use the installer's certificate, but may slow down the whole system by a little. You can import Avast's cert into the Group Policy, so even if it doesn't require Admin privileges, it won't run.

If you want to block all software installation, then give him a User account (without Admin privileges). It could be the only solution for blocking everything, though. You need to ensure that your grandfather doesn't need Admin privileges frequently.

If it allows, you can configure your current AV software so that it distrusts Avast's certificate, and may delete the installer immediately he downloads it. This is also a good option.


Anyway, I personally believe that educating your grandfather to learn to resist ads and those whatever free trials is the ultimate solution. Then you won't have to bother with this and that to prevent him from installing them.


Prevent Execution of Downloaded Programs

In addition to @iBug's good suggestion to remove administrative rights from your grandfather's account (after making another account with admin rights first!) you should prevent execution of files (i.e. software installers) saved to the Downloads directory.

Do this by editing the NTFS permissions on the Downloads folder and clear the Traverse folder/execute file permission.

This will prevent any executable saved in this folder from being started. You may wish to do this to the Desktop folder as well.

The advantage of this method in combination with removing admin rights from the account is that it prevents running any installer, not just those that require admin rights. Many unwanted programs will still install if the user does not have admin rights, but if the program can't be executed in the first place, it doesn't matter.


I've done this for both a tech-illiterate family friend (who thinks "hot_nympho_girls_movie.exe" is legitimate, even after a dozen reminders) and on laptops at work that are loaned out to students on a daily basis (we want them to install drivers and software they need, but don't want to reimage the machine at the end of each day)

We used Toolwiz Time Freeze which is a free product. You install it, set the machine up how you want it, then enable the software. When the computer is restarted, it's returned to the point at which you turned the software on. You can "unfreeze" specific files and folders (e.g. I unblocked Thunderbird's config folders so emails persisted between reboots) so you can give or take as much control as necessary.

This is probably a bit overkill, but it works great for us, because each machine we loan is "ready to go" the moment it's shut down at the end of the day. And our family friend hasn't complained about popups and toolbars mysteriously appearing.