I have a few users that have Local Admin rights to their computers. these users are also quite tech savy as well. These users like to install Zone Alarm on their machines. when that gets installed it blocks Group Policy objects and other communications like McAfee policy updates. These users are very Group VP's as well so alot of IT policies are exempt from them. I have been actually asked by my bosses in IT if there was a way to use McAfee to prevent and block Zone Alarm and other personal firewalls from being installed in the first place. does anyone know of a way to prevent users with Local Admin rights from installing Zone Alarm and other personal firewalls??
User education is an oft overlooked portion of security programs, but arguably one of the most important. If all users aren't aware that these are company machines to be used for company business, and that third party software jeapardizes the company's security as well as their own personal information, make sure they are aware.
However, as the saying goes, if there isn't a technical control ... "if it isn't audited, it isn't being done," so there's always a need for a backstop.
The way I'd tackle this is to use a vulnerability scanning tool (as we're in Mcafee land here, I suppose I should mention Foundstone being a tool of this class...though, honestly, not a terribly well reputed one) and create an audit/report for machines that my vulnscan tool on a weekly scan couldn't get to the box to do credentialed scanning, and use that as a trigger to go beat on^H^H^H^H^H^H^H^H^H educate the user to the corporate policy.
Other aproaches which involve more overhead are to follow the best practice but non-trivial to implement policy of eliminating admin authority from users so they can't install anything, or I'm sure McAfee would be happy to sell us all application whitelisting wares to keep this under control, however, even sales would tell you that app whitelisting on desktops is a rather high touch proposition.
What I don't know is whether we users/admins have the ability to add our own files and checksums to flag specific installers as unwnated software. There's probably something in access protection for VSE that might allow specific file names to get blocked, but that's easily circumvented by crafty users just renaming the file.
You could use McAfee Application Control (which used to be SolidCore) to pevent them from installing any new software, including a personal firewall.
In your VSE policies you can create custom PUP detections for the installer files, as the user attempts to download they are flagged as potentially unwanted programs and deleted/quarantined.
You can also block the sites as there should be no reason to access them.
I don't recommend using Application Control on other systems than ICS, ATM, and other pretty static devices. The user's desktop is a bit too hard to manage with such software.
In addition to PUP, you can create a custom rule on Access Protection and prevent the launch of certain files (it allows the use of wildcards), or creatin of files and directories at certain paths.