Since ZCM doesn't have rogue process management, we'll have to use GPO on our XP machines.

So you go into the mmc, edit the local GPO, and define the default security level of:

Then you add additional rules like:

c:\program files\something\blah.exe = Disallowed

Okay, you save the GPO and apply it to an eDir container (so all the users get it).

That works okay. Said program is blocked/whacked via GPO.

Now, you create ANOTHER GPO via MMC, but this time you set the SAME settings except instead of:

c:\program files\something\blah.exe = Disallowed
you change it to be:

c:\program files\something\blah.exe = UNRESTRICTED

Now, save it and this time, assign it to a specific USER object in eDir that's in the same eDir container that the previous GPO is still applied to.

In other words, you want one specific user to be able to run the software and others to be NOT able to run it.

Unfortunately it seems that the GPO is either not applied properly. If I look in:
HKLM\Software\Policies\Microsoft\Windows\Safer\Cod eIdentifiers
I'll see to main keys:


The "0" key is for DISALLOWED software and it'll show the c:\program files\something\blah.exe

the 262144
is for UNRESTRICTED software and it'll ALSO show:
c:\program files\something\blah.exe

Unfortunately it seems that the restricted one always wins.

Is this how NORMAL AD GPO works? I don't think so only because the technet articles seem to indicate with AD GPO that it would be merged and the one set for the user should win?