I've adjusted a GPO for Windows XP in ConsoleOne

I added 4 items to be disallowed

I associated them to a user, waited a few minutes, logged into the workstation as the user, and the 4 programs ARE disallowed.

I then went into ZEN and created a new GPO that ALLOWED 2 of the 4 programs.

I then associated THAT GPO to the same user (obviously consoleone pops up that message and removes the user from the "old" GPO and associates them to the new one)

Waited a few minutes, logged into the workstation.

The new policy does not take effect.

We have the GPO set to cache (but not remain in effect on logout), and we only associate to a user object (or a container of users, not the workstation itself).

I realize that the GPO "software restrictions" is under the "computer" but we have other stuff in there that works just fine when the GPO is associated in ZEN to the USER object.

However, we do not do the "security" settings in the ZEN GPO (because then it mucks up our AD security settings such as password policies, etc.)

However, I would think that if THAT was the issue, the GPO would never apply in the first place.

To further complicate things, if I associate the "allow 2 of 4" GPO FIRST, it works, but then if I associate the "DISALLOW all 4" to the same user, it does not

(it's like only lets one of them work once).

BUT, all other settings behave/work normally