Basically, SRP has two general modes. The default mode is to allow everything to run and then you create a "blacklist" of disallowed apps using the 4 types of rules that come with the policy. This is not very secure since who knows what may end up running that you did not account for in your blacklist. The other mode is to set the default policy to disallow everything and then you create rules that only allow the things that you know you want to run (i.e. business apps, etc.). This is a good article on how SRP works: http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jason A. Varley Sent: Wednesday, August 23, 2006 4:04 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Restricting only Software Installations Thank you for the feedback. Can you tell me a little more about the white list ? - that sounds like what I am after. Thanks Darren! Jason _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Wednesday, August 23, 2006 5:01 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Restricting only Software Installations You can prohibit per user installs of MSI packages using the policy at computer config\admin templates\windows components\windows installer\prohibit user installs. Since this is a per computer you would need to apply it at the computer of the user(s) you want to restrict. Alternatively, if you really needed to button things down, you could set up a Software Restriction Policy "white list" where only a known set of applications and setup packages are allowed to run. This would guarantee that *nothing* runs outside of what you know about. Of course, all this gets harder if your users are local admin on their workstations. Darren _____ From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Jason A. Varley Sent: Wednesday, August 23, 2006 2:20 PM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Restricting only Software Installations This may have a simple answer but I can't think of it at the moment. How can I restrict only a users ability to install software? I know some policies and user groups would probably encompass this restriction but I was wondering how to do just the one restriction of installing software. Is this possible?? Thanks for the help! Jason