J
Jeremy Harrington
I have deployed a Group Policy for a certain subset of users that only allows
them to use Internet Explorer. To do so, I set Software Restriction with a
default setting of "Deny," with the only exception being IE. With basic
testing, it seems to work perfectly.
However, if you perform the following steps from within IE, you can run any
application, in complete disregard for the GP.
1) Open IE
2) Go to File->Open
3) Click the "Browse" button
4) Change the "Files of Type" drop down to "All Files"
5) Browse to any app that shouldn't run.
6) Hold down CTRL-SHIFT while right clicking the app to bring up the "Run
As" option and click "Run As"
7) Leave the default options (current user with checked box) selected and
click "Ok"
I tried this with multiple applications, and it worked every time. The fact
that 99% of users will never try this is irrelevent. This makes software
restriction security by obscurity, rather than a tool to be counted on.
them to use Internet Explorer. To do so, I set Software Restriction with a
default setting of "Deny," with the only exception being IE. With basic
testing, it seems to work perfectly.
However, if you perform the following steps from within IE, you can run any
application, in complete disregard for the GP.
1) Open IE
2) Go to File->Open
3) Click the "Browse" button
4) Change the "Files of Type" drop down to "All Files"
5) Browse to any app that shouldn't run.
6) Hold down CTRL-SHIFT while right clicking the app to bring up the "Run
As" option and click "Run As"
7) Leave the default options (current user with checked box) selected and
click "Ok"
I tried this with multiple applications, and it worked every time. The fact
that 99% of users will never try this is irrelevent. This makes software
restriction security by obscurity, rather than a tool to be counted on.