MozillaZine

Firefox and Software Restriction GPO

User Help for Mozilla Firefox
daniela.shipman
 
Posts: 3
Joined: March 5th, 2015, 1:49 pm

Post Posted March 5th, 2015, 2:27 pm

We require the use of Firefox for some of our webpages to function properly since many of our webpages that are from our associated companies don't seem to work with IE9/10. IE8 is out of the question obviously due to no webpages allowing it to function properly anymore due to it's age and previous zero-day exploits.


The stage as it sits:

We have in place a GPO that prevents applications from running from undesired locations, mostly to prevent malicious software infecting the user profile locations such as AppData\LocalLow and Roaming. The server is 2008 R2 Standard.

When I try to install this software, it fails the install almost immediately with the following message;
( C:\Users\TempAd~1\AppData\Local\Temp\7zSDB22.tmp\Setup.exe ) is blocked by GPO, for information contact SysAdmin.

Here's the problem, I am the SysAdmin Managing workstation deployments and GPO Management. I'm sitting here trying to figure this out and everything else I can install; MS Office, Windows Updates, VLC Media Player, MalwareBytes, and so on... I'm experiencing this also with Java and Adobe products but those aren't for this forum. I would like to install Firefox without having to remove the computer from the protected OU into an unaffected OU.

For those of you who might want to try this set up to see what is going on;

The policy settings are:

GPO - Computer Configuration > Policies > Windows Settings > Software Restriction Policies
Security Level - Disallowed (set as default)

Additional Rules; (All are Path Rules)
%APPDATA%\Microsoft (Unrestricted)
%COMMONPROGRAMFILES% (Disallowed)
%COMMONPROGRAMFILES(X86)% (Disallowed)
%PROGRAMDATA% (Disallowed)
%PROGRAMDATA%\Microsoft (Unrestricted)
%SYSTEMDRIVE% (Unrestricted)
%SYSTEMDRIVE%\Users (Disallowed)
%TEMP% (Unrestricted)
%TMP% (Unrestricted)
%USERPROFILE%\APPDATA (Disallowed)
%USERPROFILE%\Desktop (Unrestricted)
\\FS01\SOFTWARE (Unrestricted)
\\FS02\SOFTWARE (Unrestricted)
\\FS03\SOFTWARE (Unrestricted)

As a simple explination as to why some rules look stacked, it's because they are.
Example:
%SYSTEMDRIVE% (Unrestricted) would allow anything anywhere on the hard drive to run.
%PROGRAMFILES% (Disallowed) would prevent anything within this folder or subfolders from running regardless of the setting to %SYSTEMDRIVE%.

Any Help or pointers would be helpful in resolving this.

trolly
Moderator

User avatar
 
Posts: 39908
Joined: August 22nd, 2005, 7:25 am

Post Posted March 5th, 2015, 3:28 pm

Just for completeness:
Is that the Firefox setup application?
How did you get the setup application to that place?
Think for yourself. Otherwise you have to believe what other people tell you.
A society based on individualism is an oxymoron. || Freedom is at first the freedom to starve.
Constitution says: One man, one vote. Supreme court says: One dollar, one vote.

daniela.shipman
 
Posts: 3
Joined: March 5th, 2015, 1:49 pm

Post Posted March 7th, 2015, 9:56 am

This is the installation package that can be downloaded from the webpage of Mozilla. I have the package saved to the desktop of the PC that I'm trying to resolve this issue on but as stated earlier, am having no luck in finding the solution. The are that I get by that error message is allowed and so is the users desktop, but the issue still happens. I feel I'm not getting the right error from Firefox as to why it won't install since the same message I get from the error, I get in the widows application event logs.

daniela.shipman
 
Posts: 3
Joined: March 5th, 2015, 1:49 pm

Post Posted March 9th, 2015, 6:52 am

I figured something out after a bit more testing.

Apparently Firefox requires something in the C:\Users portion to install. With the changes listed below, I get Firefox to install and run properly. The error messages received were confusing to me until I tried to install after disabling the "%SYSTEMDRIVE%\Users" rule and finding it working after that change.

I changed my rules around some and got it working by using the following rule set;

%APPDATA%\Microsoft (Unrestricted)
%COMMONPROGRAMFILES% (Disallowed)
%COMMONPROGRAMFILES(X86)% (Disallowed)
%PROGRAMDATA% (Disallowed)
%PROGRAMDATA%\Microsoft (Unrestricted)
%SYSTEMDRIVE% (Unrestricted)
%SYSTEMDRIVE%\Users (Disallowed) -- Removed this rule --
%TEMP% (Unrestricted)
%TMP% (Unrestricted)
%USERPROFILE% (Disallowed) -- Added this rule --
%USERPROFILE%\APPDATA (Disallowed)
%USERPROFILE%\Desktop (Unrestricted)
\\FS01\SOFTWARE (Unrestricted)
\\FS02\SOFTWARE (Unrestricted)
\\FS03\SOFTWARE (Unrestricted)

jharris_eps
New Member
 
Posts: 1
Joined: February 15th, 2017, 9:13 am

Post Posted February 15th, 2017, 9:16 am

Currently we create a hash rule to allow the setup.exe file from each version of firefox. It's a pain to keep updated, but we only allow the ESR version and just add when a new version comes out if we know or when we get the helpdesk ticket. The same is true for Java and Flash, however with Windows 10 and java and flash going away, we are no longer installing these by default on any machines and will review as needed. for Flash, it's built into Edge and Chrome.

Jason

DanRaisch
Moderator

User avatar
 
Posts: 122144
Joined: September 23rd, 2004, 8:57 pm
Location: Somewhere on the right coast

Post Posted February 16th, 2017, 8:58 pm

Thanks for the comments but you're replied to a thread that died two years ago. Locking due to the age of the original post.

Return to Firefox Support


Who is online

Users browsing this forum: blocker1 and 6 guests