Goal: To allow elevated msi installations on XP machines, restricting
the msi's that Power Users can run to those that are signed and
exempting local IT from restriction so non-signed (packaged) apps can
Policies set: Always elevate Windows Installer in both user and
Computer Software restrictions: Path restriction: *.msi Disallowed;
Certificate rule: TESTCERT - (from Win2K3 CA) Unrestricted
Security Levels - Default: Unrestricted
Enforcement: All except Libraries; All users except local
Designated File Types: msi
Trusted Publishers: End Users; Check: Publisher;Timestamp
Background: Policies currently must be set via local GPO since AD is
not available (in test phase). Certificate granted from Win2K3 server
CA from test domain controller machine outside of production
environment. certnew.cer installed on machine and used in Certificate
rule. certnew.cer converted to TESTSIGN.spc using MS .NET framework
tool cert2spc.exe for msi signing in Installshield Professional 11.
"AuthenticodeEnabled" registry key set to allow certificate rules.
Issue: Certificate exemption never seems to actually take the
precedence that the rules specify it should.
All help is extremely appreciated!