Prevent standard user from installing "current-user" software in a normal way?

security group-policy uac

Solution 1:

"Current User" installs don't require any privilege that the user wouldn't need for normal work. There is no difference between an installer tool creating a file, and a word processor doing that.

"All users" installs require the admin password only because the directories they write to are not writable for the current user.

UAC comes into the picture when an user requests permission to do something they aren't allowed to, but as long as users are permitted to save their work into their personal folder, they are allowed to create files and directories, and no more specific permission exists that can be revoked.

Solution 2:

DisableUserInstalls Method

There is a registry key that might work for you.

Navigate to (or create) the key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Create a new DWORD value:
DisableUserInstalls

  • 1 = no way Jose
  • 0 = normal operation

This link has more information on the topic.

Keep in mind that with this method.. if a program doesn't use MSI and is tricky enough.. there is no way for Windows to know that it is an installer program.

AppLocker Method

There is also a feature introduced with Windows 7 called AppLocker which can allow you to whitelist or blacklist specific applications and usage of specific DLLs by applications. More on that here.

Keep in mind that with this method, unless you use a whitelist only.. there are probably fairly simply methods around it (I am guessing this and don't know that for certain). A blacklist would be more simple to manage from an IT perspective I think. It depends on your users and the level of control that you want to exert.

You will need to play with these two methods to see which one works better for you. I hope one of them gets the job done.

Comments

I did read that you wanted a UAC popup. Not sure if that will happen here. Please read @SimonRichter answer.. it is a nice explanation of UAC.

I also read please only answer if you know the answer to exact problem ... here in SuperUser, this sort of statement might prevent you from getting the only answer that will work.

I mean no offense but if you don't like an answer, DON'T ACCEPT IT. Thats how it works here. I know it seems odd (since you asked the question) but your question is for future users too who might want other solutions to the problem.

Related

How to get around this error when unTarring an archive “tar: Cannot change ownership to uid 1000, gid 1000: Operation not permitted”
Prometheus Blackbox Exporter TCP probe returns value of 0, even when port is open (Iperf3 server)
Can I install iTunes in windows drive d directly instead of c drive?
How to open Office 365 documents in "Viewing" mode by default?
How to reduce the size of the header / footer in microsoft word?
Difference between WSL with GUI and Hyper-V Virtual Machine
How do I determine which boot partition is Windows 10 using
My bad, accidently copied over 12,000 photos to desktop
Make existing Windows 10 installation bootable from USB
What technology does this State Online icon belong to in Windows File Explorer
Are faster processors hotter?
Why does Bash give "No such file or directory" for a program that's in my PATH?