In a Windows domain, using built in domain features, how can you easily stop malicious software/viruses/cryptolocker from running from the downloads folder, or temporary internet files?

In a Windows domain, using built in domain features, how can you easily stop malicious software/viruses/cryptolocker from running from the downloads folder, or temporary internet files?

• Advanced Windows Firewall Settings
• Fancy Antivirus Software
• Train your users to be more careful
• Apply a Software Restriction Policy GPO 

 

EXPLANATION

Using a software restriction Policy you can create a whitelist or blacklist policy of locations that software is allowed to launch from. This included applications, scripts and so on. You can easily block software from launching from anywhere within a users profile, including the downloads folder. If you want to get into the advanced settings, you can blacklist ALL software and provide a while list of hashes for applications on your domain. SRP is extremely powerful, and very user friendly to configure. It is a valuable tool to use in keeping your network safe.

SOURCE

https://technet.microsoft.com/en-us/library/cc786941(v=ws.10).aspx