microsoft.public.windowsxp.security_admin

"Jim" wrote:

> I am creating a new GPO for Software restrictions. I have set the default
> rule to "Software will not run, regardless of the access rights of the user."
> We are creating a desktop image that we know exactly what applications will
> be allowed to run. I figured this was a perfect candidate for blocking all
> applications.
>
> I am testing out the GPO. I have created a Hash Rule for Roxio Classic
> Creator and set that rule to Unrestricted.
>
> I go to click on the Shortcut for Roxio and I get a message saying that that
> Roxio executable is blocked by the SRP. I go to the Event Log and see this:
>
> Event Type: Warning
> Event Source: Software Restriction Policies
> Event Category: None
> Event ID: 865
> Date: 2/27/2008
> Time: 9:21:08 AM
> User: N/A
> Computer: BLUEMAX
> Description:
> Access to C:\Documents and Settings\pds2\Start Menu\Programs\Roxio Easy
> Media Creator 9\Data\Creator Classic.lnk has been restricted by your
> Administrator by the default software restriction policy level.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
> So I try to create a hash rule for the LNK file, but the hash is the same as
> the actual Executable and I still get the same error.
>
> I took the LNK out of the Designated file types and it allowed the Roxio
> Classic Creator to run, but it also allowed everything to run.
>
> Is there something wrong I am doing or other documentation on to create a
> SRP that will block everything except what I want to run?

Deny should only be used when any other option does not work [i.e a last
resort].

You are better off to remove the permission than denying.