[gptalk] Opinion on my Software Restriction Policy

  • From: Pankaj Bhakta <bhakta@xxxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 11 Jun 2008 15:47:24 +1000 (EST)

We are having a Win 2003 AD based Domain and users running Win XP SP2..

The following applications are installed by our IT department on every 

        * MS Office 2003 Pro
        * IE and Firefox

        * Win Zip
        * Adobe Reader
        * Sonic Record Now Plus - for burning CD/DVDs
        * Cyberlink PowerDVD

I want to setup a Software Restriction Policy to achieve the following:
a) Do not permit Users to install any software
b) All the above mentioned applications to run smoothly

On a test domain I have setup a SRP as following ( User Configuration ):

Default Security Level - Disallowed
Enforcement Properties 

- All software files except libraries (such as DLLs)
- All users except Local Administrators

Designate File Types
-Removed the .LNK from the Designated File Types

Path rulesThe 4 default rules kept intact.

Added the following

%userprofile%\Start Menu\Programs
%allusersprofile%\Start Menu\Programs
\\myserver\netlogon\*.bat - running login scripts
\\myserver\netlogon\*.vbs - running login scripts

Although I removed the .LNK from the Designated File Types but
the shortcuts on the desktop did not seem to work so added the following path


Everything seems to be working as I wanted. All my
applications that are already installed are working fine. The applications that
have desktop shortcuts are working fine.

Also tested and found that the users cannot install
any application. 

To me things seems to work alright but I would still request your valued 
opinion & suggestion before I apply the policy on production domain. 



Other related posts: