EDIT: oh yeah, just fyi also... I found, for me anyway, some of the applications i had in /program files for example that came up as loopholes. I did not need to create a SRP rule to restrict them, you can just modify the permissions in Advanced Security settings for the application directory and remove the offending entry. As long as the app didn't need exclusive access, in which case if it does read further bellow. The apps that happened to me with were i could save the resources and just modify security settings were mostly portable type apps, that don't use an installer. /EDIT
EDIT again: sorry mechBgon, I didn't read ur link.. looks like u can just modify permissions like i had to for a few apps, and it'l still work. will leave bellow info tho could help elseware /EDIT
I have a few additional ones that relate to my specific software, like StartIsBack start-menu software, and there's also the tough decision of how to deal with Steam and Origin, since they don't work if their loopholes get set to Disallowed. One kludge is to fix their Path loopholes and then override SRP by using Run As Administrator when I want to play a Steam or Origin game. Not exactly risk-free. I may try the suggestion here, later this week:
http://www.wilderssecurity.com/showpost.php?p=2240771&postcount=6
I'm not familiar with what was mentioned in this thread, so for various reasons i looked around. and here's a link i found usefull.
http://technet.microsoft.com/en-us/library/bb457006.aspx
With the info found there, it seams you can probably solve your steam issue and the like. by simply specifing multiple rules ontop of each other, and any similar rule with higher specifity toward a specific exacutable rules the policy for that specific exacutable. I had to do this also for some programs i had that needed write access when testing, like emulators for example...
Loophole (with both rules enforced only "progX.exe" will be allowed from that loc)
# Path rule= %PROGRAMFILES%\example - Disallowed
# Path rule= %PROGRAMFILES%\example\progX.exe - Unrestricted
or
# Hash rule= progX.exe - Unrestricted
same for .dll's if you enforced them
Like that the app will still work without issue, while any other exacutable without that exact file name will fail to exacute in that directory. or even better, same exacutable with different file hash will fail. I had to specify more than one exacutable in my situation. I got a list for easy entries in the loop hole by:
# dir /b /s "C:\Program Files\example\*.exe" >"D:\path\example.log"
same for .dll's if you enforced them
On a similar note. outa curiosity, might anyone know how critical it maybe to Enforce restriction on DLL's by default? I ask cause of DLL restriction drawbacks listed on the link. Granted they don't apply to me but outa curiosity for tho's that may have substantial troublesome loopholes or multiple user logon startup items(not boot startup items)
i didn't see a win7 or above article for that link, so not sure if everything stated still applies. but here are some of the titles from the link i found very helpfull along with there examples.
Path rule precedence
Rule precedence
DLL Checking
Commonly Overlooked Rules
Scope of Software Restriction Policies