Hello,
It is important to understand what is the RULE AC14: "Prevent changes to system using Internet Explorer (IPS) [AC14] " in application control.
AC14 Rule Set: Prevent changes to system using Internet Explorer (IPS)
(Rule) > Internet Explorer Protection
Note: applies to processes matching iexplore.exe and firefox.exe
(Condititon) > AC14-1.1 Block writing to system folders
-
- %windir%*\*
- %programfiles%*\*
Excluded Files and folders
-
- *\*softwaredistribution*
- *\*softwaredistribution*\*\*
- *\*windowsupdate*
- *\*windowsupdate*\*\*
- %windir%\profile*\*\*.
(Condititon) > AC14-1.2 Allow IE to launch system process
-
- %windir%*\*
- %programfiles%*\*
Excluded Processes
-
- *script*.exe
- telnet.exe
- mshta.exe
- cmd.exe
- ftp.exe
- rundll32.exe
- reg.exe
- at.exe
(Condititon) > AC14-1.3 Block IE from launching other processes
(Condititon) > AC14-1.4 Allow IE to load system DLLs
-
- %windir%*\*
- %programfiles%*\*
(Condititon) > AC14-1.5 Block IE from loading other DLLs
-
Prevent registration of new Browser Helper Objects (IPS) [AC16]
Prevent registration of new Browser Helper Objects applies to processes matching *
Reference: http://www.symantec.com/docs/TECH132307
To resolve the issue, check this Thread:
https://www-secure.symantec.com/connect/forums/sep-hardening-policy-application-control-problems
Hope that helps!!