Software restriction policy not working (at least: not the way I want it to)

[Ton]

Hi all,
XP PRO SP1, incl. all post-SP1-hotfixes, standalone machine. Since I
recognize Software restriction policies to be valuable in preventing malware
from destroying my system, I tried to configure it. I have set the default
rule to "not allowed", and then I created restrictions for %WINDIR% and for
%PROGRAMFILES%, setting them to unrestricted. I also added internet zones,
and I created some hash rules (for the Norton Antivirus- and ZoneAlarm
executables). All rules apply to all users but administrators.
However: when logging on as a poweruser, I get messages from XP that apps
that are in C:\program files are not allowed to run due to a software
restriction policy. So, although the restrictions proces seems to work, it
works quite the opposite from what I expected. I then tried not using the
variables but using the real locations, so: c:\windows, and c:\program
files, but the problem stays the same. Obviously, I'm missing something
here, but I don't have any clue as to what it is:-(.
Can anybody out there shine a light on my error and help me?
Thanks a lot,
Kind regards,
Jos
PS sorry for the cross-posting, but I really didn't know which group would
be most suitable to post my question.

 

[death]

Hi all,
XP PRO SP1, incl. all post-SP1-hotfixes, standalone machine. Since I
recognize Software restriction policies to be valuable in preventing
malware from destroying my system, I tried to configure it. I have set
the default rule to "not allowed", and then I created restrictions for
%WINDIR% and for %PROGRAMFILES%, setting them to unrestricted. I also
added internet zones, and I created some hash rules (for the Norton
Antivirus- and ZoneAlarm executables). All rules apply to all users
but administrators. However: when logging on as a poweruser, I get
messages from XP that apps that are in C:\program files are not
allowed to run due to a software restriction policy. So, although the
restrictions proces seems to work, it works quite the opposite from
what I expected. I then tried not using the variables but using the
real locations, so: c:\windows, and c:\program files, but the problem
stays the same. Obviously, I'm missing something here, but I don't
have any clue as to what it is:-(. Can anybody out there shine a light
on my error and help me? Thanks a lot,
Kind regards,
Jos
PS sorry for the cross-posting, but I really didn't know which group
would be most suitable to post my question.

kill your computer.

 

[Kendra Yourtee]

I couldn't repro your issue, however...
Keep in mind that the rules you say you set (Unrestricted rules for both
%WINDIR% and %PROGRAMFILES%) are already set, by default, in Software
Restriction Policies in Windows XP. Check under "Additional Rules" on
any default installation, and you will see four path rules defined (they
map to the %WINDIR% and %PROGRAMFILES% you set, above). They are all set
to Unrestricted.

This is done so that users have a core line of defense against shooting
themselves in the foot - even if the administrator sets everything to
Disallowed, for all users, you can still run applications in those
directories (and thus change your settings without hosing your machine).

======
This message is posted AS IS and thus confers no additional rights.
The views expressed by the poster are not necessarily the views of the company.