Applocker Windows Folder Exceptions

I have just upgraded from Win 7 HP to Ultimate and I want to try out AppLocker and I have a question about exceptions in the Windows folder as suggested by MrBrian in an old thread.I want to know are those exceptions necessary in the system folder from a local security point of view or also from remote malware as well.Suppose I am using Firefox/Chrome and it is set to download files only to the downloads folder, can malware be still downloaded to those supposed to be excluded folders and executed?

 

Those file system areas are generally protected against writing, from within standard user accounts, but a few of those areas are not.
The default rules created by AppLocker will allow execution from Program Files and Windows, therefore you should create those exceptions.

You should also check whether or not some other folder allows writing, and therefore execution, because sometimes third-party applications may weaken Windows default security settings.

-edit-

Answering to your question, that will depend on whether or not there's some failure in how the browser restricts the download location, I suppose. It could be possible that, at some point in time, any browser will leak due to bugs. Better safe than sorry.

 

Thanks, got it