De acordo com a orientação da Microsoft sobre a restrição de software de GPO:
Path Rules
A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported.
Using Environment Variables in Path Rules.
A path rule can use environment variables. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %WINDIR%) allows a rule to adapt to a particular user's environment.
Important: Environment variables are not protected by access control lists (ACL). If users can start a command prompt they can redefine an environment variable to a path of their choosing.
Using Wildcards in Path Rules. A path rule can incorporate the '?' and '*' wildcards, allowing rules such as "*.vbs" to match all Visual Basic® Script files. Some examples:
•"\DC-??\login$" matches \DC-01\login$, \DC-02\login$
•"*\Windows" matches C:\Windows, D:\Windows, E:\Windows
•"c:\win*" matches c:\winnt, c:\windows, c:\windir
Portanto, como um usuário pode apenas redefinir para o qual% APPDATA% aponta, considere o uso da variável de ambiente APPDATA em sua regra de caminho, em vez do caminho real do sistema de arquivos completo.
The following examples show instances of applying environment variables to a path rule:
• “%UserProfile%” matches C:\Documents and Settings\User and all subfolders under this directory.
• “%ProgramFiles%\Application” matches C:\Program Files\Application and all subfolders under this directory.