Best practices
Always test policy on a test computer before applying it to any other computers.
| • | Do not apply rules at the Disallow level without the proper testing. Restrictions on certain files can seriously affect the operation of your computer or network. |
Software restriction policies should not be used as a replacement for anti-virus software.
Use software restriction policies in conjunction with access control settings.
| • | For more information, see Access Control |
Prepare carefully if using Disallowed as the default setting
| • | Many applications start other applications to perform certain tasks. You should ensure that all major tasks in your applications are covered by your rules. |
| • | If your computer needs to run logon scripts, make sure you have created a path rule that allows for them to run. For information on how precedence works on path rules, see Precedence of software restriction policies |
| • | Check the Startup folder on your computer and ensure those programs are allowed to run. |
| • | You can also find startup items in the registry: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| • | You can create a Disallowed rule for: %windir%\system32\dllcache A copy of a program you may have disallowed may exist here, giving that program the ability to run. |