HOTSPOT
Your network contains an Active Directory forest. The forest contains a single domain named contoso.com.
AppLocker policies are enforced on all member servers.
You view the AppLocker policy applied to the member servers as shown in the exhibit. (Click the Exhibit button.)
To answer, complete each statement according to the information presented in the exhibit. Each correct selection is worth one point.
Hot Area:
Answer: 
Only Local Users can run IE as the question stated “Only the members of Domain admins” by default members of domain admins was Administrator and this account has a default membership to Domain users group. This means that deny rule override the allow rule.
0
0
Drin, are you sure that deny to all users will be interrupt allow to domain users?
0
0
Cartman, It is not deny to all users but just to Domain users. I’ve tested it on my Lab and i found that the default members of Domain Admins group was administrator and by default administrator account is the member of domain users. This means that Deny rule for the domain users will override the allow rule for everyone under the domain.
0
0
Question about the group, not about users. So the domain admins group is allowed to run IE, but local users can also run IE. this is strange
0
0
The first answer is wrong.
Only Local Users can run Internet Explorer is the correct answer.
AppLocker Deny rules always take precedence. There are two deny rules for IE, one for Server Operators and the other for Domain Users. By default Domain Admins are members of Domain Users, therefore the Domain Users deny rule would prevent Domain Admins from running IE.
The only option that is not effected by a deny rule is “Local Users”.
0
0
ANSWER IS
LOCAL
EVERYONE
0
0