Preventing unauthorized downloads
There is no sure way to prevent downloads such as you described, simple or otherwise. You can likely set up your firewall to look for filenames with the extensions you want prohibited and have them stopped. Some antivirus software can also be set to scan all downloaded files and can be set to look for executables. However, users who want to avoid all these prevention measures will find ways to get around them. Do your computers have Zip Drives or high-density floppies? If so, these files can be downloaded elsewhere and then brought over by "sneaker-net." What prevents a user from downloading an executable elsewhere, then using uu-encode or some other encoding scheme to turn the executable into a text file? They could then e-mail the encoded text file to the machine you are protecting, and decode the text file back into an executable. The best answer is to have a clearly defined policy that unauthorized downloads or other unauthorized importation of executable files are not allowed, then enforce that policy. Be sure the policy states what the penalties for violation are, and apply the penalty when someone is caught. Technical solutions to this problem are difficult at best, particularly given that you are using the insecure Windows 95 Operating System. There really are no access control restrictions for what a user can do on their local machine using Win95 or Win98. So the users are effectively the Administrator or "root" for their machine. Thus, solving the problem via policy and procedure is your best bet.