When domain users can install applications like Chrome despite not having local administrator privileges, this typically indicates one of three scenarios:

• Insufficient Group Policy restrictions
• Lax NTFS permissions on Program Files directories
• The application uses per-user installation (storing files in AppData)

1. Modify Group Policy Object (GPO)

Create or edit a GPO that applies to the target Organizational Unit:

# Open Group Policy Management Console
gpmc.msc

# Navigate to:
Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies

2. Configure Software Restriction Policies

Add these rules to prevent Chrome installation:

# Path rule to block Chrome installer
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" 
-Name "Paths" 
-Value "C:\Users\*\AppData\Local\Google\Chrome*,0" 
-PropertyType String

3. Adjust NTFS Permissions

Remove modify permissions from Program Files:

icacls "C:\Program Files" /deny "DOMAIN\Domain Users":(OI)(CI)(M)
icacls "C:\Program Files (x86)" /deny "DOMAIN\Domain Users":(OI)(CI)(M)

For more granular control (Windows Server 2003 R2 or later):

# PowerShell command to create AppLocker rule
New-AppLockerPolicy -RuleType Publisher -User "DOMAIN\Domain Users" 
-FilePath "*.exe" -Deny -Name "Block Chrome Installations"

After implementation:

1. Run gpupdate /force on client machines
2. Attempt Chrome installation from a test domain account
3. Check Event Viewer for policy application logs

For applications that install in user profile directories (like Chrome's user-level install):

# Registry key to disable per-user installations
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" 
-Name "DisableUserInstalls" -Value 1 -Type DWord

When managing a Windows domain environment, you might encounter situations where standard domain users can install applications like Chrome despite not having local administrator privileges. This typically occurs due to:

• Insufficient Group Policy restrictions
• Overly permissive user rights assignments
• Missing software restriction policies

Here's how to lock this down through Group Policy on Windows Server 2003:

1. Open Group Policy Management Console (gpmc.msc)
2. Navigate to: Computer Configuration → Windows Settings → Security Settings → Software Restriction Policies
3. Right-click and select "New Software Restriction Policies"
4. Create a new hash rule for chrome_installer.exe

For administrators managing multiple machines, here's a PowerShell script to enforce this policy:

# Import GroupPolicy module
Import-Module GroupPolicy

# Create new GPO
$gpo = New-GPO -Name "SoftwareInstallationRestriction"

# Set software restriction policy
Set-GPRegistryValue -Name $gpo.Name -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" 
-ValueName "DefaultLevel" -Type DWord -Value 0x00010000

# Apply to specific OU
New-GPLink -Name $gpo.Name -Target "OU=Workstations,DC=domain,DC=com"

For environments without Group Policy infrastructure:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableInstallerDetection"=dword:00000001
"EnableSecureUIAPaths"=dword:00000001
"EnableLUA"=dword:00000001

After implementation, verify the restrictions by:

1. Attempting to run Chrome installer as domain user
2. Checking Event Viewer for related security events
3. Validating policy application with gpresult /r

If policies don't apply as expected:

• Run gpupdate /force on client machines
• Check policy inheritance and precedence
• Verify network connectivity to domain controllers
• Ensure Windows XP clients have latest service packs