I have a Zenworks application for Symantec endpoint set to force run for a certain group of users. Some of the users in this group are helpdesk people. I am trying to prevent my Helpdesk from having to sit through unnecessary installs of Symantec Endpoint as they access other machines.

To do this I explicitly associated the Symantec "forced run" application to the specific users and unchecked the "Force Run" option. Therefore when I look at the Association tab of the Symantec Application object, I see one Forced association to the User Group and several "Not Forced" associations to specific users.

I was told some time ago that when you create multiple associations to a Zenworks application for a user or group, the most restrictive wins. However, I'm not seeing this behavior with my setup. Instead all users are getting the Symantec application forced to them at login.

Has anyone gotten this type of setup to work? (Or know of a way to construct this behavior with Zenworks)