Create a new GPO for each restriction policy. This makes it easier to disable a policy that might be overly restrictive.

Choose Computer Configuration or User Configuration to apply the restrictions to machines or users, and then navigate through Policies --> Windows Settings --> Security Settings --> Software Restriction Policies.

Right-click Software Restriction Policies and choose New Software Restriction Policy from the context menu.

Set a default identifier rule: in the left pane, click Security Levels, and then right-click a specific security level and choose Set as Default from the pop-up context menu.

Now, create the actual rules that will catch software on which to enforce a restriction. Right-click Additional Rules in the lefthand pane. Choose New Certificate Rule and select the certificate to require or block, New Hash Rule and the file to allow or block, New Internet Zone Rule and the zone from which to allow or block programs, or New Path Rule and the file or Registry key to allow or restrict.

In the righthand pane, double-click Enforcement. Here, indicate how these restrictions should be enforced. Use of the following options is recommended:

• "All software files except libraries" will help you avoid blocking critical system and application function files.

• "All users except local administrators" indicates that Windows should enforce the policy for everyone except those in the local administrator group.

Next, in the righthand pane, double-click Designated File Types. On this sheet, review and add file extensions associated with applications included in the software restriction policies. The list should be fairly complete, but ensure that any scripting languages you use in your organization have their associated file extensions included.

Finally, in the righthand pane, double-click Trusted Publishers. Here you can specify whether normal users, local administrators, or enterprise administrators are allowed to decide what certificates to trust when opening digitally signed programs and controls.