Software Restriction Policies
The Software Restriction Policies security area is a new feature in and Windows Server 2003 used to identify software running in a domain and to control its ability to execute. This feature can identify software that is hostile or unwanted and prevent it from executing on computers running Windows XP Professional and Windows Server 2003. Software restriction policies are discussed in detail in Lesson 2.
It is not necessary for you to use these public key policy settings in Group Policy to deploy a public key infrastructure in your organization. However, these settings give you additional flexibility and control when you establish trust in certification authorities, issue certificates to computers, and deploy the Encrypting File System (EPS) across a domain.
EPS can be controlled and disabled through Group Policy. If you choose to disable EPS for your domain, which prevents users from encrypting files, you can do so by setting an empty recovery policy at the domain level.
With respect to the marketing, finance, and shipping mcse training applications, what are some of the options and considerations when deciding how to deploy these
applications?
Although you could deploy all three applications at the domain level, and use security filtering by adding ACEs to the GPO that limit the deployment to the appropriate users, the solution would require extra administrative work. For example, you would have to implement security groups that align with the deployment goals. The best option, since these applications map nicely to the OU structure of the company, is to deploy the applications at the appropriate OUs. For example, a single GPO to deploy the sales program could be linked to all three Marketing OUs.
The other consideration is whether to assign or publish this application. You must determine whether the applications are optional or mandatory. If these applications are optional, publish?ing to users would make the most sense. Users would have to take the initiative in choosing to go to Add/Remove Programs (or Add Or Remove Programs, in Windows XP) and install the application. Considering that these custom applications were developed specifically to be used by these departments, it is likely that the company would consider them mandatory. Assuming that is the case, you should assign them. If users move from computer to computer in the organization, you may decide that assigning them to the users is most appropriate. If each user has his or her own computer, assigning the applications to themcse exam appropriate computers is the best solution.