To create a path rule

1. Open Software Restriction Policies.
2. In either the console tree or the details pane, right-click Additional Rules, and then click New Path Rule.
3. In Path, type a path, or click Browse to find a file or folder.
4. In Security level, click either Disallowed or Unrestricted.
5. In Description, type a description for this rule, and then click OK.

Caution

• On certain folders, such as the Windows folder, setting the security level to Disallowed can adversely affect the operation of your operating system. Make sure that you do not disallow a crucial component of the operating system or one of its dependent programs.

Notes

• Different administrative credentials are required to perform this procedure, depending on your environment:
  • If you create a path rule for your local computer: XOX
  • If you create a path rule for a computer that is joined to a domain: XOX
• To open Software Restriction Policies, see "Open Software Restriction Policies" in Related Topics.
• It may be necessary to create new software restriction policies for the Group Policy object (GPO) if you have not already done so. For information about how to create new software restriction policies, see Related Topics.
• If you create a path rule for software with a security level of Disallowed, users can still run the software by copying it to another location.
• The wildcard characters that are supported by the path rule are * and ?.
• You can use environment variables, such as %programfiles% or %systemroot%, in the path rule.
• If you want to create a path rule for software when you do not know where it is stored on a computer but you have its registry key, you can create a registry path rule. For more information about how to create a registry path rule, see Related Topics.
• To prevent users from executing e-mail attachments, you can create a path rule for your e-mail program's attachment directory that prevents users from running e-mail attachments.
• The only file types that are affected by path rules are those that are listed in Designated File Types in the details pane for Software Restriction Policies. There is one list of designated file types that is shared by all rules. For more information, see "Add or delete a designated file type" in Related Topics.
• For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.
• When more than one software restriction policies rule is applied to policy settings, there is a precedence of rules for handling conflicts. For more information, see "Precedence of software restriction policies" in Related Topics.

Related Topics