All client computers on your company network run Windows 7 and are members of an Active
Directory Domain Services domain. AppLocker is configured to allow only approved applications to
run. Employees with standard user account permissions are able to run applications that install into
the user profile folder. You need to prevent standard users from running unauthorized applications.
What should you do?
A.
Create Executable Rules by selecting the Create Default Rules option.
B.
Create Windows Installer Rules by selecting the Create Default Rules option.
C.
Create the following Windows Installer Rule:
Deny Everyone – %OSDRIVE%\Users\<user name>\Downloads\*
D.
Create the following Executable Rule:
Deny – Everyone – %OSDRIVE%\Users\<user name>\Documents\*
Explanation:
A)
Create Executable Rules by selecting the Create Default Rules option.
Many organizations are implementing standard user policies, which allow users to log on to their
computers only as a standard user. With Windows Vista®, this task became easier. However, more
independent software vendors (ISVs) are creating per-user applications that do not require
administrative rights to be installed and that are installed and run in the user profile folder. As a
result, standard users can install many applications and circumvent the application lockdown policy.
With AppLocker, you can prevent users from installing and running per-user applications.
To prevent standard users from running per-user:
To open the Local Security Policy MMC snap-in, click Start, type secpol.msc in the Search programs
and files box, and then press ENTER.
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
Right-click Executable Rules, and then click Create Default Rules.
http://technet.microsoft.com/en-us/library/dd723685(WS.10).aspx