Application control is a key feature of SEP, which gives you as a system administrator, the ability to enforce the written security policy technically, not verbally. In every corporate network, their should be some sort of a checklist the lists the approved applications and softwares that every employee has the right to run/use them on their machines. And anything else should be prohibited. Previously, system admins used to enforce windows group policy to control softwares usage in the network, but that was a hard task for them. Because they need to know the current running applications, filter them as allowed/blocked, and lack of centralized monitoring and reporting. These are the problems that made application control an impossible mission. With SEP application control, you'll be able to prevent unauthorized application use throughout your organization. No IM, P2P, games, illegal softwares, anymore. Also, this will decrease the chance of infection by preventing users from executing malicious executables. 98% of malwares are being transported to user's computer as video codecs, Christmas cards, or fake antispyware tools. I've found that apps control is the key to a lot of our problems nowadays when it comes to hardening and securing endpoints. If you want to trace back to the root of most malwares infections, it'll be because of our users habits. The policies can range from simple to complex ones. I've found them useful when you want to defeat a new zero-day malware, by blocking the dll importing, or executing a specific file(s) in the system. You can slow down the infection process, or even prevent it at all. Simply, upload a sample of the malware to one of the online "Sandboxing" services like http://www.threatexpert.com, and they will e-mail you a complete report of every single activity of the malware, from dropping new files, modifying/deleting registry keys, loading dll files into system processes spaces, etc. You can use these details to customize a policy to protect your endpoints till Symantec releases new definitions. Soon, I'll write a step-by-step article on how to allow a specific number of approved applications and block the rest. So, stay tuned. Ayed Alqarta [Symantec Certified Specialist]