It’s always a trade-off between security and convenience. You say allowing them install some minor update isn’t a big deal. However, if they can download anything or update anything how can (1) an IT staff keep all machines at consistent levels in terms of the software, updates and patches (2) prevent users from installing crap on their machines that end up putting them out of commission for longer than your 40 minutes?

Just playing devil’s advocate. Personally, security policies come from the top-down and it’s NEVER IT departments making policy. We just enforce those policies.

My opinion is middle of the road. I say as long what a user does isn’t compromising business applications or customer experience let them blow up their machines and perhaps next time they won’t be so careless.

From my last 13+ years in IT, security is a losing battle. As soon as management is inconvenienced or someone whines loudly enough policies suddenly become less stringent and things are opened up.

Just my .02…

If you had to delete a file out of the Program Files folder structure to get the software running, it sounds like pretty bad software design.

On XP a non-admin user can’t modify that structure, and an application that requires such a thing is *not designed to the specs for Windows XP*.

That is where the problem lies, and its very common. I am also in a position of supporting such legacy programs on XP, and it can cause some unique problems for sites that enforce security policies, requiring custom ACLs at some locations where NT was writeable but XP isnt (for std user).

Almost always, a situation like that happens because of poorly designed software applications. The Windows OS and the security policy administrator are doing things right…the application vendor is causing the problem.

To mhz:

You obviously have no experience with software troubleshooting. Files get corrupted from time to time and need to be removed. The cause is often because of a power failure while the user was using the application. In this case it was a log file that needed to be cleared out of the folder because it was too large. Look through the library of kb documents with any software company and you’ll find deleting a file is often to resolution to most problems.

Well, for sure a power failure situation might cause just about anything to happen, but IMHO this is the kind of thing you probably need to call a Helpdesk tech for.

That should not be very common, and certainly would not warrant the additional risks that you get from giving std users full access to the machine.

and the “you certainly have no experience” is not really warranted either. Lets be nice, shall we?