Bugtraq: Re: First vulnerabilities in the SP2 - XP ?...

[Robert Decker <rdecker () esbsystems com>]

As a work around to the issue - although not to easy to configure for 
the home user,
I would think if you have users who are ignorant, gullable, or just 
plain stupid - a windows sysadmin might consider a GPO in AD with one or 
more of the following policies:
User Configuration --> Administrative Templates --> System -->  Prevent 
Access to Command Prompt
User Configuration --> Administrative Templates --> System -->  Run Only 
Allowed Windows Applications
User Configuration --> Administrative Templates --> System -->  Don't 
Run Specified  Windows Applications
Another huge advantage would be the proper implementation of the 
following in an AD GPO:
Configure some Software Restriction Policies in   User Configuration --> 
Windows Settings --> Security Settings --> Software Restrictions
and  if possible, couple it with certificates.  (although, i'm not too 
familiar with this one)
Computer Configuration --> Windows Settings --> Security Settings --> 
Local Policies --> Security Options -->  System settings: Use 
Certificate Rules on Windows Executables for Software Restriction  Policies