JSI Tip 7352. How do I use software restriction policies in Windows Server 2003?

Microsoft Knowledge Base Article 324036 contains the following summary:

This article describes how to use software restriction policies in Windows Server 2003. When you use software restriction policies, you can identify and specify the software that is allowed to run so that you can protect your computer environment from untrusted code. When you use software restriction policies, you can define a default security level of Unrestricted or Disallowed for a Group Policy object (GPO) so that software is either allowed or not allowed to run by default. To create exceptions to this default security level, you can create rules for specific software. You can create the following types of rules:

•	Hash rules
•	Certificate rules
•	Path rules
•	Internet zone rules

A policy is made up of the default security level and all of the rules applied to a GPO. This policy can apply to all of the computers or to individual users. Software restriction policies provide a number of ways to identify software, and they provide a policy-based infrastructure to enforce decisions about whether the software can run. With software restriction policies, users must follow the guidelines that are set up by administrators when they run programs.

With software restriction policies, you can perform the following tasks:

•	Control which programs can run on your computer. For example, you can apply a policy that does not allow certain file types to run in the e-mail attachment folder of your e-mail program if you are concerned about users receiving viruses through e-mail.
•	Permit users to run only specific files on multiple-user computers. For example, if you have multiple users on your computers, you can set up software restriction policies in such a way that users do not have access to any software except for those specific files that they must use for their work.
•	Decide who can add trusted publishers to your computer.
•	Control whether software restriction policies affect all users or just certain users on a computer.
•	Prevent any files from running on your local computer, your organizational unit, your site, or your domain. For example, if there is a known virus, you can use software restriction policies to stop the computer from opening the file that contains the virus.IMPORTANT: Microsoft recommends that you do not use software restriction policies as a replacement for antivirus software.