Windows XP: Restricted access

Hardly a day goes by without someone receiving the binary equivalent of a landmine in their e-mail, and idly clicking on it to see what happens. System administrators can't hold everyone's hand all the time, but Software Restriction Policies (SRPs) may help by limiting the code that a user can execute.

They're useful as a first line of defence against viruses and malware, and can also prevent users from running software that only administrators should execute, without having to restrict each program individually. However, SRPs can't control code that executes within allowed programs, such as Office macros, nor will they restrict applications that are run by the System, Network Service and Local Service accounts, including hardware drivers and kernel-mode software.

To add an SRP, go to Control Panel, double-click Administrative Tools then the Local Security Policy icon. You'll find the Software Restriction Policies option in the left-hand pane, with branches leading to Security Levels and Additional Rules for policies in effect. Unrestricted is the lowest security level, which allows everything to run bar your exceptions, while Disallowed is the exact opposite. Using the latter as the default security level could have some unintended consequences, so be careful if you decide to follow that route.

The Unrestricted rule is best for stopping certain problematic programs from running. Disallowed is appropriate for a blanket ban on everything apart from certain known applications. On top of this, the Additional Rules let you set the exceptions to the general policy, identifying the software that can or cannot run. There are four different rules, in order of precedence:

Hash rule

A hash is a fixed-length string of characters, unique to the executable being used. When you try to run the executable, SRP checks whether the hash string matches or not. Depending on the outcome of the matching and your logic, the program then will either run or not.

For example, your default security level is Unrestricted and you decide that the ftrace.exe program is evil. Click on Additional Rules, and select New Hash Rule... from the Action menu to bring up the hash rule dialogue. Click on Browse..., find the ftrace.exe file, select it to let Windows XP compute the hash, then pick Disallowed from the Security level listbox and click OK (see here).

Now when you try to run the program, SRP checks the hash and finds that it isn't allowed to execute, even if the executable is renamed or moved. However, if the file is tampered with, the hash will change and the rule no longer applies.

Certificate rule

This rule applies to scripts and Windows installer packages (MSI), but not to executables with .exe and .dll extensions. For instance, administrators can decide that only scripts which carry approved digital certificates will run. A certificate rule is created similarly to hash rules using the Action menu. You'll need the certificates themselves, of course.

Path rule

The Path rule can be very useful, for you can decide that executables cannot run in certain folders - perhaps you don't want people to execute things in My Documents or mail folders. Be careful how you use this: don't be tempted to apply it to system folders, for example.

Internet Zone rule

The Internet Zone rule covers Windows installer packages (MSI) only, and can be confusing. It can identify software from the five different Internet Explorer zones: Local Computer, Intranet, Internet, Restricted Sites and Trusted Sites. It doesn't apply to software downloaded in Internet Explorer, so its usefulness is mainly limited to software distribution.

On the top level of the SRP branch, you'll also find the Enforcement, Designated File Types and Trusted Publishers objects. Tread carefully here. For the Enforcement object, make sure the software restriction policies apply to all software files except libraries, otherwise Windows will go through every DLL that a single executable can call, bogging down your system completely. If the default security level is Disallowed you'd have to go through every library file that the program calls and allow it to run as well.

The Designated File Types object is handy for adding specific files to the policy. These needn't be executables, either. You could just as easily restrict TXT files if you wanted to.

The Trusted Publishers object doesn't allow you to add and remove trusted software publishers. It only decides if normal users of the computer can decide which software publishers to trust, or if the decision should be with computer administrators only. You can also tell the Trusted Publishers to do revocation checks on the certificate publisher and its time-stamp.


Finally, to update the policies affecting the computer, open a CMD box and type gpupdate to refresh them. That program has several options, the descriptions of which you can view with the usual /? switch, but you don't need them normally.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Juha Saarinen

PC World
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?