Software restriction policies overview

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Software restriction policies overview

Software restriction policies address the need to regulate unknown or untrusted software. With the rise in the use of networks, the Internet, and e-mail for business computing, users find themselves exposed to new software in a variety of ways. Users must constantly make decisions about running unknown software. Viruses and Trojan horses often intentionally misrepresent themselves to trick users into running them. It is difficult for users to make safe choices about what software they should run.

With software restriction policies, you can protect your computing environment from untrusted software by identifying and specifying what software is allowed to run. You can define a default security level of Unrestricted or Disallowed for a Group Policy object (GPO) so that software is either allowed or not allowed to run by default. You can make exceptions to this default security level by creating software restriction policies rules for specific software. For example, if the default security level is set to Disallowed, you can create rules that allow specific software to run. The types of rules are as follows:

  • Hash rules

  • Certificate rules

  • Path rules (including registry path rules)

  • Internet zone rules

For more information about each of these rules, see Security levels and additional rules.

Software restriction policies consist of the default security level and all the rules that apply to a GPO. Software restriction policies can be applied across a domain, to local computers, or to individual users. Software restriction policies provide a number of ways to identify software, and they provide a policy-based infrastructure to enforce decisions about whether the identified software can run. With software restriction policies, when users execute software programs, they must adhere to the guidelines that are set up by administrators.

With software restriction policies, you can:

  • Control the ability of software to run on your system. For example, if you are concerned about users receiving viruses through e-mail, you can apply a policy setting that does not allow certain file types to run in the e-mail attachment directory of your e-mail program.

  • Permit users to run only specific files on multiuser computers. For example, if you have multiple users on your computers, you can set up software restriction policies in such a way that users do not have access to any software except the specific files that are necessary for their work.

  • Decide who can add trusted publishers to your computer.

  • Control whether software restriction policies affect all users or just certain users on a computer.

  • Prevent any files from running on your local computer, organizational unit, site, or domain. For example, if your system has a known virus, you can use software restriction policies to stop a computer from opening the file that contains the virus.


  • Software restriction policies should not be used as a replacement for antivirus software.

For more information, see: