Software Restriction Policy Problem in XP


  • Hi,

    Classic problem here.  I have been asked to configure a workstation so that the only thing that can run is IE and a specific site.  It is for a time and attendance application, management wants a station setup so staff don't have to wait for their workstations to boot to clock in in the morning.

    So I am playing with software restriction policies on a test workstation.  It is not part of our domain so I am using the local security policies and have been referencing this article:

    I created a software restriction policy and set the default security level to Disallowed because I only want them running IE.  I did make sure to check that the Enforcement Properties were set to All software files except libraries and Apply software restriction policies to the following users was set to: All users except local administrators.

    I logged into my basic user account and sure enough, everything is blocked except IE and Outlook Express, which is fine.

    Then I logged back into the administrator account and have discovered that I can't run anything there either except IE and Outlook Express.  So I can't run Local Security Policies from Admin Tools, I can't run CMD.exe so I can't run secedit.

    Why has it applied the policy to the local administrator and how to turn it off now?  I've been looking for registry keys and can't seem to find them.

    Any help is greatly appreciated.

    Thanks in advance,


    Oh, forgot to mention I can run regedit.
    • Modifié lkubler mercredi 14 mars 2012 17:46 Additional Info
    mercredi 14 mars 2012 17:42

Toutes les réponses

  • Ah, Ok so I figured out I can run the secpol.msc from the run line and was able to turn off the software restriction policy.  By that I mean I was able to change the default security level to unrestricted.

    Upon further scruteny I don't see any way to apply a software security policy to just a user or group of users on a computer that is not joined to the domain.  Am I just missing it or do I have to join this computer to the domain to get that level of granularity?

    Thanks in advance,


    mercredi 14 mars 2012 18:15