Update:
I opened a ticket with MS and we found a security bug.
Software restriction hashes do not work on digitally
signed files.
When you create the hash policy against the file, you do
not get the true hash value.
The true hash can not seen unless you use a md5 hash
utility. You can try this on Winzip v8 or aol V9 files.
You can manully edit the registry to fix each one on a
local machine, but we have not found a work around to do
this through group policy yet. Perhaps I have to create a
custom policy and I will continue to experiment with
this....
Right click the properties of the file to see if it is
digitally signed.
This could be a serious threat as a managed computer
network can not protect a rouge install of a digitally
signed file!
-----Original Message-----
OK. I have not tried it with machine configuration yet. From your post it sounds as
if the user the policy is not being applied to is
logging onto the local machine as
local administrator and not the domain as a regular user who also is in the local
administrators group on that computer. Since it is a
machine policy, that would lead
me to also believe it should affect all users on that
computer logging into the local
machine or the domain. What happens when a domain user that is also in the local
administrators group logs onto that machine? Are they denied access to run that
application? Of course restricting any local
administrator is extremely difficult as
they can do things like create local administrator
accounts and unjoin computers from