applying group policy to computers

Try just putting %appdata% in as the path?

but i want to limit executables from running there though.

A couple of levels higher in the hierarchy is the "Enforcement" policy.

If you're performing this test as a local admin, make sure this policy is set to "All Users" and not "All users except local administrators"

Software restriction policy rules apply automatically to some types of executable files, regardless of their extension type. This includes the following types of files:

    Windows operating system executable files (.exe, .com, .dll)

    Windows scripting files (when processed by Windows Script Host, such as .vbs, and .wsh files)

    Command batch files (when processed by Windows CMD, such as .bat, .cmd)

    Installation packages when processed by Windows Installer (.msi)

So the /*.exe is redundant

ok i'll try that, but the policy is set to all authenticated users.

edit:

after editing the policy to remove .exe, ran gpupdate on my machine.
Test it again and was still able to open the .exe.

So what's the setting(s) in the Enforcement policy?

It's at the "Software Restriction Policies" level

In mine I see three options:
1) "Apply software restriction policies to the following:"
    a) All software files except libraries
    b) All software files
2) Apply software restriction policies to the following users:
    a) All users
    b) All users except local admins
3) When applying software restriction policies:
    a) Enforce certificate rules
    b) Ignore certificate rules

So my initial suggestion was to ensure that option 2a) was selected if you're testing as a local admin.

(just to be clear, i'm not talking about the security filtering on the group policy itself)

where are you seeing that? I see nothing like that.

The attached are two images of the Enforcement policy.

what domain functional level are you using out of interest?

and have you tested the policy running as a non-local administrator? just to see if the rule is actually correct?
software-restriction-enforcement.png
software-restriction-enforcement.png

oh ok, i saw those already and it was same settings.
2003 domain functional level btw.

Not sure what was change but all my shortcuts stop working so it was enforcing %appdata%

I didn't want that though, it was blocking everything.

I just wanted to block files that has .exe.

Not sure if I have the prefixes right: C:\Users\me\AppData\netscan.exe

Right now I have:

Path: %AppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Path if using Windows Vista/7/8: %LocalAppData%\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from %AppData%.

Path: %AppData%\*\*.exe
Security Level: Disallowed
Description: Don't allow executables to run from immediate subfolders of %AppData%.

yeah you are correct, i place the files in local and roaming after echoing it return those results.

Test the .exe and they were block. Now I just need to figure how to get to appdata.
I did try your example but that did not work.

apparently according to this article, this is not possible:

http://ss64.com/nt/syntax-variables.html

I guess they increase the security on win7, but had the feature in xp.

But thanks man for the help. You help me fix it.

No worries. glad to help.

good luck with the virus issues.

I guess it would be good to just mention this now, i'd be cautious of leaving this block in place for too long... I'm not 100% sure, but this might impact the ability for some application to update themselves.

yeah i thought about it, but i had users getting viruses that have wipe out all their work files, losing months of work.
I think this will benefit more. But you're still able to run the application manually from the shortcuts on desktop and start menu fine.