Hi guys, I really like the idea of restricting execution from user space to form the basis of a pretty bullet-proof setup, and I really like the idea of doing this with things that come with the operating system (minimize overhead, maximize compatibility). Looking around there are several options available which cover almost everything, but there seem to be a few shortcomings from my limited understanding: SRP/Applocker: A script running in a document viewer (e.g. Word/Excel/PDF reader/Media player) could bypass these, allowing a downloaded executable to circumvent the protection and be executed (as in this thread). I *know* nobody’s reported malware doing this, but the mere existence of a potential hole really bugs me ACLs: Placing a deny execute on risky folders is neat, but a script could copy files out to another (non-system) folder. Unless I suppose if you put a deny execute on the whole drive, with exceptions for \Program Files, \Program Files (x86) and \Windows? Is this possible? Does it close up all the holes? Low integrity: Again, it comes back to scripts. You don’t want to run your document viewers/editors as low integrity, since it will break most of them. So you run medium integrity, get some malicious script, and it is executed as part of the document viewing app so gets medium integrity. 1806 registry tweak: I really like the idea of quarantining things ‘from another computer’ and how you can just right-click to unblock. However I gather that this doesn’t work on things that don’t come from the browser/mail client (e.g. torrent client). I know that Defensewall/Appguard/SandboxIE etc each have their own ways to deal with containment of risky files, but I have problems using each of them (love DW but no 64-bit support, Appguard crashes my system for some weird reason, don’t conceptually like the feel of SBIE even though the protection is solid). So can anyone suggest an approach using just-the-OS tools that closes these script-based holes without disabling scripts altogether?