HOTSPOT
Your network contains an Active Directory forest. The forest contains a single domain named
contoso.com.
AppLocker policies are enforced on all member servers.
You view the AppLocker policy applied to the member servers as shown in the exhibit. (Click the
Exhibit button.)
To answer, complete each statement according to the information presented in the exhibit. Each
correct selection is worth one point.
Answer: 
Explanation:
I had Internet explorer – No one, would not the deny rule on domain users take precedence as there is no exception configured?
The answer is “Only Local Users” and “Everyone”
What? “Only local Users”? It states very clearly that Domain Admins are allowed to run Internet Explorer.
everyone = Allow , but Domain users = deny , therefore deny is more restrictive , the allow rule for domain admins is then the only rule that allows IE
Kampai is right, By default Domain Admins are members of Domain Users, therefore the Domain Users deny rule would prevent Domain Admins from running IE
The answer is “Only Local Users” and “Everyone”
You are right. Thanks
by default every user, including Domain Admins are member of Domain Users. Deny takes precedence, Domain Users are denied to run IE, so would be Domain Admins.
I agree that Local Users would be able to run IE unless Everyone had a Deny, which doesn’t
I agree with Josh, Local Users and Everyone are the answers
You guys should try this in a domain. I’d wager the answer given is correct. I’ve seen it happen myself. Even thought Domain Admins are by default a member of the group Domain Users, they still get their domain admin permissions.
Answer:
Only Local users
Everyone
You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.
https://technet.microsoft.com/en-us/library/ee460942(v=ws.11).aspx
I think the given answer is correct
* Only the members of domain admins
* Everyone
Because who said that the domain admins are member of Server Admins as well?
It is not a builtin group.
Never mind, i forgot about the Domain Users group deny rule
Answer:
Only Local users
Everyone
Answer displayed is correct (1. Only members of Domain Admins and 2. Everyone).
I tried this in my lab and if you create a new user and make them a member of the Domain Admins group AND remove them from the Domain Users group, the AppLocker rule won’t apply (as Domain Admins isn’t blocked in any way).