Comment This is good - think OS X Gatekeeper (Score 2) 190
This sounds a lot like Gatekeeper on the Mac, which works really well. It allows the user several levels of trust - "trust store apps only", "trust store apps plus recognised developers" (certificate signed), "allow everything".
I have mine set to "store apps plus recognised developers" and ask for the rest. If I run something else, I can right click and select Open..., it asks me if I'm sure and I say yes. This is a five second operation which gives me control over my options, whilst preventing unknown apps from running without my knowledge and explicit say so. This Windows one sounds pretty much the same, with the addition of your classic enterprise lock down features - it it's a corporately-owned machine, then yes the corporate should get say over what's running on it.
Imagine the kind of download-happy, click-on-everything user that we've all seen around. They would download cunningly-disguised-malware.exe and try to run it, and the OS would simply prevent them. Now true if they had admin rights they could go into preferences, set to allow everything etc. but it's all more effort and a quick realisation that something's unusual here.
Nope, I regard this as a good move. It already exists in OS X and works well - putting a similar system into Windows seems like a good idea to me.
I have mine set to "store apps plus recognised developers" and ask for the rest. If I run something else, I can right click and select Open..., it asks me if I'm sure and I say yes. This is a five second operation which gives me control over my options, whilst preventing unknown apps from running without my knowledge and explicit say so. This Windows one sounds pretty much the same, with the addition of your classic enterprise lock down features - it it's a corporately-owned machine, then yes the corporate should get say over what's running on it.
Imagine the kind of download-happy, click-on-everything user that we've all seen around. They would download cunningly-disguised-malware.exe and try to run it, and the OS would simply prevent them. Now true if they had admin rights they could go into preferences, set to allow everything etc. but it's all more effort and a quick realisation that something's unusual here.
Nope, I regard this as a good move. It already exists in OS X and works well - putting a similar system into Windows seems like a good idea to me.