Start by either editing an existing GPO on AD, or create a new GPO. You can also do this stand alone using gpedit.msc on any Windows XP machine.

Drill down to Software Restriction Policies. It depends on where you create the GPO as to which configuration you put this under. If the GPO resides in a User OU, then it needs to go under “User Configuration”. Likewise, if it is in a computer OU, then you need to go the the “Computer Configuration”.

After you determine which configuration is best for you, right click “Software Restriction Policies” and click “Create New Polices”. For you stand-alone non AD guys, if you want to block a certain user from accessing a program, you can log in as them and put these settings under the “User Configuration”.

You should now have some new folders under “Software Restriction Policies” called “Security Levels” and “Additional Rules”. Under “Security Levels” are the default restrictions. If you want total control over what programs are ran, then you can make the “Disallowed” the default level — but that’s another post.

For now we will focus on “Additional Rules”. Right click in the “Additional Rules” folder and click “New Hash Rule”.

This will bring up the “New Hash Rule” box, where you just need to browse for the program in question. I chose Internet Explorer — since I hardly ever use it any way. It should automatically fill in the Hash value for the software, and also the file information. Then you can choose the security level, which in this case would be “Disallowed”. You may also put in a description if you wish.

After you click “OK”, here is the result when trying to run Internet Explorer, or any program of your choosing.