But are you not blocking JAVA and JAVA updates, FLASH and other things that run in the
%userprofile%application data
and
%userprofile%local settings\application data
areas?
A Lot of new stuff installs to and runs in those areas now.
No, I do not agree with them, GOOGLE is one, JAVA stuff is another, FLASH places crap there, too.
Many organizations are bypassing normal security by placing their stuff there.
Google places DLLS and other things there - in fact the entire CHROME install goes there - (and that's how I block CHROME!)
I agree with what you are doing - but wonder - don't you have to hassle with any exceptions, etc.?
Like Go-To Meeting runs from there! Anyone wishing online training, online meetings, etc. - it all runs from the above paths.
VERY few apps install to the Program Files area any more. They all seem to have found they can get into the corporate world through naive and wanting ends users by simply installing to the profile areas.
That way the poor suppressed needy end user can get past the greedy nasty bossy IT folks and get what they want, while Adobe and Google look like heros to them.