This is the fourth part of a feature comparison series where I look at the differences between Microsoft Windows 7 Professional and Enterprise editions. For the full list of features, see the first post.

In this post I’ll review the usage scenarios and explore the benefits and caveats of AppLocker; hopefully it will help you decide if AppLocker contributes to the case for the extra cost of the Enterprise license.

AppLocker is a policy based security mechnaism that either allows or disallows software from running on a system. You’re right in thinking this sounds a lot like Microsoft’s Software Restriction Policy (SRP) feature. They are very similar, but not the same thing. As with SRP, AppLocker can either block all applications from running except for the ones you whitelist, or allow all except for the ones you blacklist. Like most security solutions, the more secure it is, the more burdensome management can be. AppLocker improves on SRP with new features that make setup and management easier. My favourite is the ability to white- or black-list applications by vendor, so for example I can unlock all Adobe apps with one rule.

Applocker may be better than SRP but this doesn’t mean that you have to get rid of your SRP group policies, as Windows 7 supports both AppLocker and SRP. It does this by ignoring SRP if both AppLocker and SRP settings are applied to the system. This also means that if you have a mixture of Windows 7, XP and or Vista machines then you can use use a mixture of AppLocker and SRP, but it is advisable to thoroughly test the effects of combining these settings in the same group policy.

To conclude, I think AppLocker offers a great way to make your Windows 7 desktops more secure. The biggest obstacle to implementing it may actually be user acceptance, especially in environments where they had free reign over their pre-Windows 7 machines, but that’s not an insurmountable problem. To get started with evaluating Applocker you can download the walkthrough from Microsoft’s website.