We are hosting some licensed software in our company on a Windows Server 2008 R2. Users access the server using Remote Desktop Services. However, we would like to prevent users from copying the licensed software (e.g. the executable and related program files). That means we want to suppress uploading to web server, copying with RDP etc.
How is this possible with Windows Server 2008 R2?
One technique that will make it pretty difficult for the end user is to simply not give them a full desktop. Instead of giving them a windows shell where the can manage files and copy them, instead expose your application as a remote app. Also heavily lock down the system with group policies to prevent starting explorer.exe, command shells and other tools from the file open/save dialogs. This wouldn't completely stop a extremely skilled individual, but it should discourage the average computer user.
If you need a full desktop, you could setup a couple terminal servers, one server to provide your full desktop, and a second server to provide your remote apps within the terminal server environment.
If running a remote app isn't an option then you probably will need do a lot of work to lock down the system with group policies. With group policies you can prevent a user from browsing drives in Windows explorer and the standard Windows file dialogs. This would discourage most people, but it might make your system more difficult to use then your users are willing to accept. It depends on your requirements.
Another option might be to deliver your application with something like app-v. It is a technology where the application is not actually installed on the server. You need a special client to run the software. If your infrastructure is fast enough, then you would disable caching of the application files. I am not extremely familiar with the app-v internals to know if a determined person could extract a copy of the program from the cache, I suspect they could, but I don't think App-v is not common enough that it might make it difficult enough.
Simply turn off the ability for local devices and resources to be available in a remote session. Check out this TechNet article for more information about that feature.
If you want more granular control over disallowing only certain files from being copied over an established session that otherwise allows local resources - I am unaware of that being possible.
EDIT: I see clearer now. Sorry for the confusion. In the case of needing to prevent internet copying of files, you may have quite a task ahead of you. If it's a controlled environment that only needs access to certain sites, then you could create a default deny rule in the firewall and only allow those internet connections that are necessary thus disallowing any reasonable possibility of things being copied to a remote host.
If you must have complete access to the internet, then look into a third party tool like Imperva's File Firewall. I'm not 100% sure if that does exactly what you're looking for however. No first-hand experience with it.
You might have to look at a DPI gateway appliance that can inspect file transfers for certain files and block their transmission. Of course, you'll need to block SSL connections except to known good hosts.