I have SBS Server 2003 domain with Win XP workstations.
To simplify my issue, lets say I have 10 computers and one user account. What I want, is when USER1 logs on to COMPUTER-A thru COMPUTER-H, they can run IEXPLORE.EXE and have Internet access with no issues. But, when that same user logs on to COMPUTER-I, they can NOT run IEXPLORE.EXE. Easy enough to set up in a GPO at USER CONFIGURATION/Administrative Templates/System/Don't Run Specified Windows Applications = iexplore.exe Great setup, because user gets the popup "due to restrictions in effect on this computer...blah.blah.blah. see your system administrator" Lets the user know IE isn't working on purpose, and saves all those idiotic calls to the help desk. I 'thought" I couldy restrict this policy to COMPUTER-I only, by adding only COMPUTER-I to the security filtering in the GPO. I've discovered that doesn't work, because then no users have the necessary permissions to run/read the GPO. Therefore, the policy is not applied to the desired computer.
I then "assumed" that if I added "Authenticated Users" to the security filtering, then that policy would only be applied when "ALL" conditions in security filtering were met. Apparently, I assumed incorrectly, as it's applied when "ANY" of the security filtering conditions are met. Hence, all users on all computers were unable to run IEXPLORE.EXE.
How can I get the Disallowed Programs policy to apply to the STAFF users group, but only when a member of that group is logged onto a specific computer or computers in a specific computer group? Hopefully, this can be achieved without having to put square pegs in round holes. :)
-Carl