[Short Version:]

We have Software Restriction Policies (SRP) enabled through a group
policy that is associated to all of our workstation objects (not
users). I'm finding that the SRP rules are getting ignored randomly
and restricting programs that should be unrestricted. The group policy
that we have contains many other settings besides the SRP like
disabling the run command, etc. These other settings seem to be
getting applied correctly every time. It's just the SRP that seems to
fail randomly.


The SRP is setup so that the default setting is disallowed. This means
that all programs are blocked from running by default unless explicitly
allowed. I have it setup to allow everything from C:\ and other
specific network locations so that users can launch approved programs.
[Note that I disallow access to the C:\ drive via a group policy
setting so that users cannot navigate to this drive to add programs or
launch programs.] If users need to launch something from C:\, they use
the NAL.

For the most part, the SRPs work perfectly. When users download
aim.exe to their home directory (H:\) and then try to install, it is
prevented from running and all is well. The problem starts when users
try to launch a program like Microsoft Word from the NAL and they get a
message saying it is prevented from running because of the SRP. Word
is installed to the default location at C:\Program Files\ which is
explicitly allowed via the "C:\" rule that is defined in the SRP.
Sometimes the NAL is even restricted from running and then the user is
only able to see the desktop with no icons. The only way to fix this
issue is to restart the PC and log back in. This **usually** fixes the
problem. Note, however, that it seems to be completely random.
Sometimes a restart will not fix the issue and the group policy has to
be removed manually.

The event viewer shows that when these programs are restricted, it's
coming from the "default software restriction policy". This tells me
that it's being blocked because the default SRP is set as disallowed.
For some reason, it doesn't see the rule that says allow everything
from c:\ to run without restriction. Note that I have never had a
problem with files on a network share. This only happens for programs
running from C:\.

I have tried re-creating the group policy from scratch, adding the rule
"%systemdrive%" instead of "c:\", adding rules for "c:\program files\",
"c:\windows\system32", etc. I get the same results each time.

I have enabled advanced SRP logging but only see more detail about what
I already know. Processes that are supposed to be allowed are being
restricted for an unknown reason.

Has anyone else experienced this issue? Could it be a Microsoft
problem in how they implement Software Restriction Policies or could it
be a ZENworks problem in how and when they apply the policies? I've
looked on both Microsoft and Novell's websites and have not found a

Any help would be appreciated.


Danny Eddy