In Windows Vista and Windows XP, software restriction policies (SRPs) provide an additional level of protection against unauthorized software on users' workstations. Using SRPs' built-in rules allows programs in protected locations such as %ProgramFiles% and %SystemRoot% to be launched without restrictions. Setting the default security level to Disallowed prevents executables in other locations from running, which is useful considering the trend toward portable applications.

In XP, one problem with simply switching on SRP and setting the default security level to Disallowed is that the built-in rules don't allow users to launch applications from desktop shortcuts. In most organizations, this is an unacceptable trade-off between security and functionality because users often rely on shortcuts to run applications.

One way to work around this problem is to add an additional path rule, as Figure 1 shows.

Figure 1: Adding the *.lnk path rule to allow shortcuts

Adding the *.lnk path rule re-enables all shortcuts on the user’s machine. Interestingly, this path rule doesn’t actually contain a path. It just contains the string *.lnk.

In Vista, SRP has been improved to allow shortcuts when the default security level is set to Disallowed. So, you don't need to add this path rule on Vista workstations.