Firefox and Software Restriction GPO

[daniela.shipman]

We require the use of Firefox for some of our webpages to function properly since many of our webpages that are from our associated companies don't seem to work with IE9/10. IE8 is out of the question obviously due to no webpages allowing it to function properly anymore due to it's age and previous zero-day exploits.


The stage as it sits:

We have in place a GPO that prevents applications from running from undesired locations, mostly to prevent malicious software infecting the user profile locations such as AppData\LocalLow and Roaming. The server is 2008 R2 Standard.

When I try to install this software, it fails the install almost immediately with the following message;
( C:\Users\TempAd~1\AppData\Local\Temp\7zSDB22.tmp\Setup.exe ) is blocked by GPO, for information contact SysAdmin.

Here's the problem, I am the SysAdmin Managing workstation deployments and GPO Management. I'm sitting here trying to figure this out and everything else I can install; MS Office, Windows Updates, VLC Media Player, MalwareBytes, and so on... I'm experiencing this also with Java and Adobe products but those aren't for this forum. I would like to install Firefox without having to remove the computer from the protected OU into an unaffected OU.

For those of you who might want to try this set up to see what is going on;

The policy settings are:

GPO - Computer Configuration > Policies > Windows Settings > Software Restriction Policies
Security Level - Disallowed (set as default)

Additional Rules; (All are Path Rules)
%APPDATA%\Microsoft (Unrestricted)
%COMMONPROGRAMFILES% (Disallowed)
%COMMONPROGRAMFILES(X86)% (Disallowed)
%PROGRAMDATA% (Disallowed)
%PROGRAMDATA%\Microsoft (Unrestricted)
%SYSTEMDRIVE% (Unrestricted)
%SYSTEMDRIVE%\Users (Disallowed)
%TEMP% (Unrestricted)
%TMP% (Unrestricted)
%USERPROFILE%\APPDATA (Disallowed)
%USERPROFILE%\Desktop (Unrestricted)
\\FS01\SOFTWARE (Unrestricted)
\\FS02\SOFTWARE (Unrestricted)
\\FS03\SOFTWARE (Unrestricted)

As a simple explination as to why some rules look stacked, it's because they are.
Example:
%SYSTEMDRIVE% (Unrestricted) would allow anything anywhere on the hard drive to run.
%PROGRAMFILES% (Disallowed) would prevent anything within this folder or subfolders from running regardless of the setting to %SYSTEMDRIVE%.

Any Help or pointers would be helpful in resolving this.

[trolly]

Just for completeness:
Is that the Firefox setup application?
How did you get the setup application to that place?

[daniela.shipman]

This is the installation package that can be downloaded from the webpage of Mozilla. I have the package saved to the desktop of the PC that I'm trying to resolve this issue on but as stated earlier, am having no luck in finding the solution. The are that I get by that error message is allowed and so is the users desktop, but the issue still happens. I feel I'm not getting the right error from Firefox as to why it won't install since the same message I get from the error, I get in the widows application event logs.

[daniela.shipman]

I figured something out after a bit more testing.

Apparently Firefox requires something in the C:\Users portion to install. With the changes listed below, I get Firefox to install and run properly. The error messages received were confusing to me until I tried to install after disabling the "%SYSTEMDRIVE%\Users" rule and finding it working after that change.

I changed my rules around some and got it working by using the following rule set;

%APPDATA%\Microsoft (Unrestricted)
%COMMONPROGRAMFILES% (Disallowed)
%COMMONPROGRAMFILES(X86)% (Disallowed)
%PROGRAMDATA% (Disallowed)
%PROGRAMDATA%\Microsoft (Unrestricted)
%SYSTEMDRIVE% (Unrestricted)
%SYSTEMDRIVE%\Users (Disallowed) -- Removed this rule --
%TEMP% (Unrestricted)
%TMP% (Unrestricted)
%USERPROFILE% (Disallowed) -- Added this rule --
%USERPROFILE%\APPDATA (Disallowed)
%USERPROFILE%\Desktop (Unrestricted)
\\FS01\SOFTWARE (Unrestricted)
\\FS02\SOFTWARE (Unrestricted)
\\FS03\SOFTWARE (Unrestricted)

[jharris_eps]

Currently we create a hash rule to allow the setup.exe file from each version of firefox. It's a pain to keep updated, but we only allow the ESR version and just add when a new version comes out if we know or when we get the helpdesk ticket. The same is true for Java and Flash, however with Windows 10 and java and flash going away, we are no longer installing these by default on any machines and will review as needed. for Flash, it's built into Edge and Chrome.

Jason

[DanRaisch]

Thanks for the comments but you're replied to a thread that died two years ago. Locking due to the age of the original post.