Software restriction policy problem in Vista
I am having problems with a software restriction policy on Vista Ultimate. I have it set up as follows:Enforcement: All software files All users except local administrators Ignore certificate rulesDesignated file types: All default ones except .lnkTrusted publishers: NoneSecurity Levels: Disalowwed by defaultAdditional rules %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot% Path Unrestricted %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir% Path UnrestrictedWhat I find is that it blocks things it should not. If I have Word or pdf documents on a CD or USB drive they will not open when I double click on them. If I turn on logging I get lines like:C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.dll as Disallowed using default ruleC:\Program Files\Microsoft Office\Office12\wwlib.dll as Disallowed using default ruleIt all works fine if the documents are on my main C drive.Can anyone help me please? Is this a known bug?Theo
January 25th, 2008 10:13pm

Hi Theo, Please change the All software files in the enforcement setting to the All software files excepte libraries. Then, try to see if it works. Hope this helps.
Free Windows Admin Tool Kit Click here and download it now
January 31st, 2008 1:43pm

This does stop it blocking the documents, thank you. Unfortunately, this is not what I want. I want to be able to stop all unwanted software including dlls. The dlls it blocked should not be blocked as they are on an allowed path.Theo
February 2nd, 2008 12:54pm

Hi Theo, Please try to set rules for all the dll file used by program in order to use PDF or DOC program? Based on my test, if these programs are installed on the other drive rather than C, the program cannot be run regardless the disk partition. It seems the dll files on the C main drive is allowedwhich need to load Windows Vista. Hope this helps.
Free Windows Admin Tool Kit Click here and download it now
February 2nd, 2008 3:59pm

The rules appear to be correctly set. All the programs and DLL files are on the C drive. If I open a PDF document on the C drive it works. If I open a PDF document on the E drive then the DLL files on the C drive, that worked before, are blocked. The same happens with Word files. Ordinary text files on the E drive open correctly in notepad. The same settings work on my XP computer at work. I only have a problem on Vista.
February 2nd, 2008 4:35pm

Hi Theo, I have performed a further test. If theprogram is installed on other drives instead of system drive C on Windows XP, the PDF/DOC also cannot be opened with the same GPO setting. It seems the DLL files on the system drive will beallowed by design. However, Windows Vista enhance securityon this point. If the program on system drive, the application on other drives will not call the necessary DLL files automatically which is different from Windows XP. Thus, since many applicatin will call needed DLL when running, we recommendtoconfigure "All software files excepte libraries" setting to avoid this. Also, if you do not want to do this, you can copy these PDF/DOC files on the system drive as awork around. Hope this helps.
Free Windows Admin Tool Kit Click here and download it now
February 3rd, 2008 7:08pm

I suppose that explains it. However, it is very inconvenient and against the spirit of the software restriction policy. I wish Microsoft would fix this. If the software restriction policy was easy to set up, did not have these problems and was available to home users it could be a very useful defence against malware.Thank you,
February 3rd, 2008 11:20pm

Hi, Thanks for your update and I will forward your suggestion to product team for consideration in the future.
Free Windows Admin Tool Kit Click here and download it now
February 4th, 2008 11:25am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics