Overall very impressed with the technology. I went to the MDR and tried to attack the heck out of a machine that only had xp SP2 with no other patches (ie6). After it was all said and done the malware didn't get outside of the temp directories: both %userprofile%\temp and %windir%\temp I wish i could have investigated before this because i almost think its a perfect solution. I can say the only thing i wasn't happy with is this. To be able to install a lot of programs you need to open up the temp directories because the installer extracts everything into the temp directories. Whats bad about opening your temp directories is that would also allow malware to run that got download by the browser. Don't know if there is a way around this one... The only way i can think to get around this problem is to create 1 and only one account that you install software under (and don't browse under this account). At least with applocker you could say only this account has access to run stuff in the temp directories. Sure if you run under a user rather than an administrator it would solve the problem but there are still a lot of people that can't run under limited privledges. I'm a programmer and its just way to hard to run visual studio, IIS, SQL Server, Ect under limited user credentials. Edit: The other disappointed thing is that it should be made a part of home versions of windows instead of just professional/enterprise/ultimate. This techonology can be used for a lot more than just an enterprise locking down what software a user can run.