This tip only applies to the following Windows OS versions:
Windows XP Professional, Windows Server 2003, Windows Vista Small Business, Windows Vista Professional, Windows Vista Enterprise, Windows Vista Ultimate, Windows Server 2008

You have probably browsed sites that were all too happy to download trojans/spyware/adware/etc., and run them on your machine without your knowledge… leading to all kinds of up-all-night fun.

If you have had these experiences, then you also may have cursed Windows – for not including tools necessary to secure the Windows OS.

Well they DO, to a point. Your day is about to get a lot better.

This technique does NOT protect you from errant and malicious ActiveX controls. You will have to configure security for ActiveX controls under IE in Tools > Internet Options > Security.

Enter our good friend, and drinking buddy, gpedit.msc. You can give it a call by going to Start > Run, and typing gpedit.msc… then hitting ENTER, of course. Let the good times roll.

What you are presented with is the “Group Policy Object Editor” – as shown below:

Step 1 – After opening the Group Policy Object Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Software Restriction Policies. If you haven’t been here before, you will see the following screen:

If you do not see this screen (a.k.a. Software Restriction Policies have been defined), then proceed to Step 2. For those that have this screen in front of them:

Step 1a – Right click on Software Restriction Policies and select the following – All Tasks > New Software Restriction Policies, then left click on it. After doing so, you should see:

Step 2 – After the policies have been defined, or have been previously defined if you skipped here from Step 1, then left click on Additional Rules below Software Restriction Policies.

Step 2a – In the right hand pane of the Group Policy Object Editor window, right click in an empty area, and select New Path Rule.  You are presented with:

Here you can enter a directory (a.k.a. path) to apply software restriction rules to. Notice the default Security level is set to “Disallowed” – this is what you want, as you are DISALLOWING execution rights for this directory. In the Description field, you will want to add some descriptive text to define the path rule, like “IE cache protection”, or whatever it is meant for. Be creative, but to the point.

Now, you are wondering “What do I do here?” Well, read through. Don’t worry, it isn’t that difficult.

Step 3 – You will want to enter the directory(ies) for your browser’s cache… i.e. where your browser of choice downloads it’s temporary files to, a.k.a. the files that are downloaded from the sites you visit – which includes the nasty files, such as viruses/trojans/etc. Enter a single path and click OK. You CANNOT put all the paths in the same field, just so we understand each other. Repeat the process from Step 2a for all the paths you need to enter.

The beauty of Path Rules is that you can use environment variables and globbing patterns to simplify, and make all-inclusive,  the directories you are wanting to lock down. Below is a simple list of popular browsers and their directories that you should add path rules for (all using environment variables and globbing patterns, for simplicity):

• Internet Explorer (Version 7 and higher): %USERPROFILE%\Local Settings\Temporary Internet Files
• Internet Explorer (Version 6 and below): %USERPROFILE%\Local Settings\Temporary Internet Files AND ALSO %USERPROFILE%\Local Settings\Temp (Note: the \Temp directory will stop you from installing certain software, especially from ZIP self-extracting archives. We suggest you upgrade to version 7 or higher, so you will NOT have to include the \Temp directory. If you need to install software that runs from \Temp, go into the Software Restriction Policies and set the \Temp directory to “Unrestricted” temporarily)
• Mozilla Firefox (Version 2 and 3): %USERPROFILE%\Local Settings\Application Data\Mozilla\Firefox\Profiles\*\Cache
• Opera (Version 9 and higher): %USERPROFILE%\Local Settings\Application Data\Opera\Opera\profile\cache*

Step 4 (optional) – You may also want to secure the system’s global Temp directory – if you are paranoid, like I am:

System Temp: %windir%\Temp

…of course, this may depend on if you configured the system temporary directory to another folder other than C:\Windows\Temp.

Step 5 – Congratulations, you are now finished.

When you download a executable from the internet, you will now have to SAVE it instead of opening/running it directly. The Open/Run function will download the file to your temporary internet files (cache) and run it from there – which it is now NOT allowed to do. This DOES NOT affect non-executable files like ZIP archives and such.

You can reboot if you want, but there is no need to – Software Restriction Policies do not require a reboot of the system. Go ahead and try out your new setup. For instance, go download PuTTY (SSH client), or any other executable file – such as the new AOL setup – and click Open/Run from the dialog box instead of save. You will be greeted with the following error message dialog box (or whatever your browser reports):

Your browser’s cache is now secured.

This does NOT protect you from downloading and saving mysterious files, then running them YOURSELF. To protect your computer from yourself AND other users downloading files and running them, your account should be a limited user.

Enjoy surfing without having to worry about garbage being installed in the background. It should also be noted, that Software Restriction Policies apply to ANY type of software, not just browsers. Be creative and explore.

tags: 2003 server, 2008 server, browser, browser cache, file execution, gpedit, how-to, no execute, path rule, Security, software restriction policy, vista, Windows, xp