Simple Software-Restriction Policy
A security enhancement for Windows XP/Vista/7 (Home or Pro)
See our downloads page for the latest release.
Detailed installation and usage instructions are on our Software Policy Minisite.
Software restriction policies provide a useful protection against malware. They do this by preventing executables from being launched from places where malware would typically arrive on the computer, such as download folders within the user-profile, temporary-file folders and USB memory. An additional benefit is the ability to block the installation of unwanted software from auto-running product CDs etc.
Whilst you can achieve the same result with Group Policy on Pro versions, doing so is by no means easy as the default settings don't suit this purpose. This script provides an automated config which should suit most standard Windows setups. Also works on Home versions of Windows, where Group Policies are not available.
As far as security enhancements go, some comparisons could be drawn between Software Policies and running as a Limited (non-Admin) User. In fact the two precautions are mutually beneficial, and for best security both should be implemented.
Thus, the use of both together will provide excellent security.
That said, if you've already tried and given-up on limited-user working (or Vista's horrendous UAC) having found it insufferable, give Software Policies a try. They are far less invasive than account restrictions, and can be turned-off any time you need to. I'm writing this webpage on a computer with a software policy, and basically I mostly forget it's there. Only on rare occasions do I need to turn it off, and if I do, then that is accomplished in the space of a few clicks. A few areas in which a software policy causes far less aggro than UAC are:
The latest version also provides integrated support for Kåre Smith's StripMyRights.exe - thus allowing attack-prone apps such as browsers to be given additional protection, without the need to restrict the account itself.
A system-tray icon provides controls to install/uninstall the policy, and to turn the policy off whilst installing legitimate software. In fact, the softwarepolicy.exe program itself need not be run continuously, other than to produce this icon for convenience. The policy, once set, will survive reboots and remain in-force until cancelled.
The tray icon also provides a handy list of the most frequently-used administrative utilities. This list can be edited as required.
Notes: This script and the Group Policy software restrictions should not be used simultaneously. (You can use other policies, just not software restrictions.) Not suitable for Windows 2000 or earlier.
Run the installer, and then check that the settings in softwarepolicy.ini are suitable for your computer. Activate the policy and reboot.
To control the policy, use Lock/Unlock on the system-tray icon to turn the additional security on and off as required. (This takes immediate effect)
This software may be duplicated any number of times, and used in private or commercial IT operations. The software may not be sold for profit in any shape or form. Third-party websites and P2P hosts may offer copies for download so long as these conditions are met.
It is not necessary to supply sourcecode with every downloaded copy, so long as a link to the publisher's website is included in some form or other at the download location.