This is already posted today in SSM free version forum: But since it looks like almost nobody is reading that forum, I post here too I have made the rules in SSM like this: 1. First put learning mode on and ran as many apps as I came to think. Also some that often crash to have teached SSM free about drwatson and those things. Reboot a few times and change between admin and limited user accounts. 2. Edit all made rules to have 'Ask user' default access and while still in learning mode repeat again what is told in step 1. That adds some more check marks in parent/child rights that were not there after step 1. 3. Disable learning mode and put everything to log in Options, 'Log these events'. Do again all that is in step 1, but this time allow only least rights needed to not get asked again in those prompts you get now. Then just check the log and try to find if any baddies are allowed running that should not. Or if some browser like IE are to be asked always. All the fine tuning. Questions: a) Does above make any sense, considering that the machine is assumed to be quite clean? And if something bad was allowed, tracing them afterwards. b) And putting all default accesses to 'ask user'? Or instead should some applications be really allowed as child as default or have parent default right?