I should've mentioned that what we do here, having over 600 supported applications with various versions out in the field at any given time, is to assign one group per Application/Version onto the ACL of each MSI added onto a GPO. For example, you'd have one GPO with "Domain Computers" in the scope, that would have both versions of Office in Software Installations, but rather then leave "Authenticated Users" in each package's ACL, you remove it and add a unique group to each product. In fact, you'd probably assign the same group to both Office 2k3 itself, and the "Office 2007 compatibility" package, this way everyone would be on the same page. One of the benefits of this approach is that we're able to roll out updates in increments as we choose. f.