locked
Software Restriction Policy - iexplore.exe (32bit) can't start 7zip, picture viewer, etc... RRS feed

  • Question

  • We are implementing a Software Restriction Policy in strict mode (deny all, exceptions via path based rules) on win7x64 machines.

    apart from the 3 default path based rules

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)%
    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%

    we also have these 2:

    %programfiles%\
    %programfiles(x86)%\

    with these settings, all programs in c:\windows and the C:\program files(xx) directory (e.g. 7zip, the windows integrated picture viewer, ...) should execute correctly. starting them directly via the explorer gui, proves that they do so.

    unfortunately, when we use internet explorer to browse our sharepoint site to e.g. download a .ZIP file, and try to open it through the IE interface ("do you want to open or save xxxx.zip?" -> OPEN) we receive the message that group policies are blocking execution of a program.

    the SAFER log shows

    iexplore.exe (PID = 2572) identified C:\Program Files\7-Zip\7zFM.exe as Disallowed using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

    the event log shows

    Access to C:\Program Files\7-Zip\7zFM.exe has been restricted by your Administrator by the default software restriction policy level.

    the same happens with a web application that shows digitally scanned bills to the user by prompting for a .JPG download. the windows integrated picture viewer should pop up and show the image, but instead the error message appears.

    the problem does not happen when we add an explicit path rule, e.g. to allow "c:\Program Files\7-Zip\7zFM.exe". but this is completely not logical to me, as "C:\program files\" is already fully excluded by the default path rule, and manually opening that very path, as mentioned above, works perfectly fine?!

    also i found out, that using internet explorer in 64bit mode does not raise this issue.

    so it seems that IE in 32bit mode trying to execute other programs is resolving the path rules incorrectly.

    what is going wrong here and how can i fix it?



    Thursday, October 11, 2012 12:20 PM

Answers

  • THIS thread fixed it. thanks to the user who posted the correct solution there:

    %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramW6432Dir%

    • Proposed as answer by tracycai Friday, October 12, 2012 7:12 AM
    • Marked as answer by Robert Rostek Friday, October 12, 2012 7:13 AM
    Thursday, October 11, 2012 1:26 PM