I need a little help with a Group Policy Object I created fro Software Restrictions. I create it to better lockdown software on some new Windows XP computers. Here's what I've got:

I created an OU under Resources for said machines and created a new GPO for the OU. I create a new policy under Computer Configuration>Windows Settings>Security Settings>Software Restriction Policies. Security Level is Disallowed and Enforcement is all except local administrator. Under Additional Rules I set up two Path rules for unrestricted access to anything located inside the %WINDR% and %PROGRAMFILES%.

When I log into a computer inside this OU as a regular user, I can execute files inside those folders, but I'm getting an error if I use a shortcut to said executable. For example, I have a program inside %WINDR% named etrnview.exe. I get a restricted error if I try to run it using the shortcut located at Cocuments and SettingsAll UsersStart MenuProgramsE-Transcript Viewer.lnk. If I add a Path to that shortcut I can use it.

So, if I've got this straight, I either need to add numerous Paths to the GPO for all shortcuts (lnk) to files. Or unrestrict all LNK file types. Wouldn't the latter be a bad idea? Am I wrong or is there another way around this problem?

I'd sure like to get off on a better start with these new computers. A handful of users have ignored the written "do not install software" policies and done it anyway.