Category: At least Windows 2000

This policy setting allows Web-based programs to install software on the computer without notifying the user. If you disable or do not configure this policy setting by default when a script hosted by an Internet browser tries to install a program on the system the system warns users and allows them to select or refuse the installation. If you enable this policy setting the warning is suppressed and allows the installation to proceed. This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However because this policy setting can pose a security risk it should be applied cautiously.

Specifies the types of events that Windows Installer records in its transaction log for each installation. The log Msi. log appears in the Temp directory of the system volume. When you enable this policy setting you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you want. To disable logging delete all of the letters from the box. If you disable or do not configure this policy setting Windows Installer logs the default event types represented by the letters “iweap. “

This policy setting prevents users from searching for installation files when they add features or components to an installed program. If you enable this policy setting the Browse button beside the “Use feature from” list in the Windows Installer dialog box is disabled. As a result users must select an installation file source from the “Use features from” list that the system administrator configures. This policy setting applies even when the installation is running in the user’s security context. If you disable or do not configure this policy setting the Browse button is enabled when an installation is running in the user’s security context. But only system administrators can browse when an installation is running with elevated system privileges such as installations offered on the desktop or in Add or Remove Programs. This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers such as File Explorer or Network Locations to search for installation files. Also see the “Enable user to browse for source while elevated” policy setting.

This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting some of the security features of Windows Installer are bypassed. It permits installations to complete that otherwise would be halted due to a security violation. If you disable or do not configure this policy setting the security features of Windows Installer prevent users from changing installation options typically reserved for system administrators such as specifying the directory to which files are installed. If Windows Installer detects that an installation package has permitted the user to change a protected option it stops the installation and displays a message. These security features operate only when the installation program is running in a privileged security context in which it has access to directories denied to the user. This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation program that prevents software from being installed.

This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. If you enable this policy setting Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result Windows Installer cannot restore the computer to its original state if the installation does not complete. This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However because an incomplete installation can render the system or a program inoperable do not use this policy setting unless it is essential. This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder it is considered be enabled even if it is explicitly disabled in the other folder.

This policy setting prevents users from using Windows Installer to install patches. If you enable this policy setting users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs some installations prohibit their use. Note: This policy setting applies only to installations that run in the user’s security context. If you disable or do not configure this policy setting by default users who are not system administrators cannot apply patches to installations that run with elevated system privileges such as those offered on the desktop or in Add or Remove Programs. Also see the “Enable user to patch elevated products” policy setting.

This policy setting restricts the use of Windows Installer. If you enable this policy setting you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting. — The “Never” option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behavior for Windows Installer on Windows 2000 Professional Windows XP Professional and Windows Vista when the policy is not configured. — The “For non-managed applications only” option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured. — The “Always” option indicates that Windows Installer is disabled. This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.