If you want to use Software Restrictions Policies in Windows XP or Windows Vista to directly duplicate the Windows and program restrictions settings that a Windows SteadyState administrator can configure, create the path rules defined in the following sections. Optionally, you can also restrict Notepad and WordPad and prevent Microsoft Office programs from running using Software Restriction Policies.
For example, to duplicate the effect of the Allow only programs in the Program Files and Windows folders to run feature in the Windows Restrictions tab in Windows SteadyState, use a Software Restriction policy to set the Software Restriction Policy Security Level to Disallowed, and then create additional rules to unrestrict or allow each of the following paths, as shown in Table 6.
Table 6: Software Restriction Rules
| Rule | Description |
|---|---|
|
%ProgramFiles% |
Allows programs to run |
|
%Windir% |
Allows Windows programs to run |
|
*.lnk |
Allows Start menu and desktop shortcuts to work |
As an added security measure, you can also create an additional path rule that restricts files from being run in the Temp folder. To restrict users read/write permissions to the Temp folder, add the following rule by using Software Restrictions Policies.
%WinDir%\Temp
For more information on using Group Policy Software Restrictions Policies, see Using Software Restriction Policies to Protect .