AppLocker not behaving as expect when file has Alternate Data Streams and rule is not applied to everyone. I have a publisher rule setup for MS Office 2010 as in the picture When this is set to Allow for Everyone Office works as expected. However if I set the rule to Allow for Domain Users I have an issue. I'll use an Excel document as an example. If the file I am using has Alternate Data Streams attached with ZoneID=3 then I get this error And inside the Event Viewer I see If I remove the Data Stream or set it to ZoneID=0 then the application works fine. The application also works if the Everyone groups is given allow on the AppLocker rule. So the question is: What is happening between AppLocker and Office when it comes to ADS that is preventing Office from running correctly? Oh by the way the normal AppLocker is blocking this application is never seen.

I will give that a try but it will not really do what I am trying to accomplish. And I guess I should have put that in here. I am trying to make a rule that does not apply to everyone. Authenticated users would not remove the accounts I am trying to not have the rule apply to. I need the limited accounts to be able to run part of office but not all of it so I have a rule for that one part that works for everyone and this rule that works for everyone else (Domain users). The limited accounts are not in the domain users group, but they would be in the authenticated users.

please try to add group "authenticated users" instead "domain users". I suspect some tasks run as local system. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I will give that a try but it will not really do what I am trying to accomplish. And I guess I should have put that in here. I am trying to make a rule that does not apply to everyone. Authenticated users would not remove the accounts I am trying to not have the rule apply to. I need the limited accounts to be able to run part of office but not all of it so I have a rule for that one part that works for everyone and this rule that works for everyone else (Domain users). The limited accounts are not in the domain users group, but they would be in the authenticated users.

So I tried "Authenticated users" and I had the same issue as Domain Users. And really it would not have solved my problem anyway even if it did work. To test this I made a test machine and created a local AppLocker rule. TEST 1 I am using Word this time, the rule is set for a group called "Office Users" (Did not want to use Domain Users again because I think people were getting confused by its use) Again when trying to open a File with ADS I get an error, slightly different with word. But the AppLocker event error is the same. If I remove the ADS or set the ZoneID to 0 it opens fine and if I set the rule to "everyone" it works fine. TEST 2 Repeated the test with Excel and I have the same issues as in the original post. Looking at the AppLocker events, I see that when running the file with ADS it generates 2 events. The first one is successful and the second one fails. I believe that the second one is when the application is trying to switch to protected view, and this is what is causing the application to fail. So at this point I would say this is a repeatable Bug; and I think it has to do with the switch to protected view. At this point I cannot use AppLocker to limit the use of Office 2010 to a Group.

I got an e-mail yesterday from a Microsoft employee, thanks Tim. The e-mail was about KB2532445-v2, having to do with Office macros and AppLocker. Not really sure how this applies to what I reported here, but the hotfix he gave me worked. After Applying the hotfix the rules no longer gave the error and office worked as expected. Again thank you Tim.