Software Restriction Policies is wrongly applied to Administrator

I have Windows 7 64-bit and have configured Software Restriction Policies so that "Disallowed" is the default security level. I also have Path Rules defined so that software in C:\Program Files, C:\Program Files (x86), and C:\Windows can execute. I also want it to apply to only my limited user account, so it is configured for "All users except local administrators".

But it is still affecting my admin account. When I'm logged in as my admin user and I try to run any executable file in the C:\Users\admin\Downloads directory, I get a popup saying "This program is blocked by group policy."

Any idea why the Software Restrictions Policies are affecting my admin account even though it is set to "All users except local administrators"?

Hello Delerious, and welcome to Seven Forums.

Did you do this through Group Policy?

If so, then double check using the tutorial below to see if this how you setup the separate "All users except local administrators" group policy snap-in to set these policies in.
You might also look at AppLocker to see if it may work for this as well for you.
Hope this helps some,
Shawn

Thanks Shawn. I think this is related to UAC. If I run an executable file using "Run as administrator", then it runs fine and doesn't get blocked.

I know this thread is old, but I found something yesterday that causes this very symptom, and since I couldn't find the answer after Googling for days, I thought I'd post what I found so it might help someone else.

Like delerious above, I configured Software Restriction Policies (under Computer Configuration), and under Enforcement, Apply software restriction policies to the following users, I selected All users except local administrators. I set the Security Levels default to Disallowed, and then built the rest of the policy by creating the Additional Rules (mainly path rules). All this went into a new GPO that was intended to be used only for SRP configuration.

When I tested with user accounts, it worked as expected, but my admin account was also denied access. I hate when my system tells me access denied. <grrr>

I Googled and found others who had this problem (here, superuser, wildersecurity) but no solutions. I somehow stumbled onto another GPO and discovered that it had software restriction policies enabled too. I checked its settings, and found that nothing had been changed from the defaults. It was as if another administrator found the "No Software Restriction Policies Defined" message, so he clicked on New Software Restriction Policies menu item. But then he didn't configure anything.

Which would have been OK, except for the fact that -- and here's an example of yet another retarded Microsoft default -- the Apply software restriction policies to the following users radio button is set to All users by default. I found several other GPOs had been done this way. So guess what? All those GPOs were somehow overriding the one configured correctly.

After deleting all those unintended policies (and I might have rebooted the test machine, probably cussed a lot), it works like a champ.

Note: something else I learned through all this is that rsop.msc is your friend.