Security researcher Mark Russinovich once again knocks one out of the park by showing that even non-admin users can bypass Software Restriction Policies and other components of Group Policy.
Software Restriction Policies (SRP) are another example of Group Policy settings that can be subverted by limited users if you allow them to run an arbitrary executable – in other words, if you don’t apply SRP correctly by using it to define the executables users can run (whitelisting) instead of simply singling out executables that you don’t want them to run (blacklisting). When a user launches a process it’s the parent process that checks SRP to see if the execution of the child should be allowed or blocked, allowing the owner of the parent process to manipulate the process into bypassing or negating SRP processing. There are many ways of accomplishing that, including writing a program that reaches into the parent’s address space and changes the Registry path strings that refer to SRP storage or overwriting the code that reads SRP Registry settings.
Be sure to read the comment thread; there are many ways to weaken or remove the protections that even properly designed Group Policies can give you, including unplugging the machine from the network and logging in with cached credentials. This prevents your machine from pulling down and applying the GPO. It just goes to show that the 10 Immutable Laws of Security are still valid.