|
If you really wanted to make sure your computers don't update to XP SP2 you could add a software restriction policy by adding the hash for the UPDATE.EXE and UPDATE.MSI files from the IT download and then later adding the other hash to the one from the Windows Update site when it is available for download in a smaller size.
So you can stop or delay AU from getting it, and from a user that downloads it from running it.
Granted a user with Admin rights and a little knowledge could bypass your restrictions and get it installed, but this should stop most casual users.
| 
