Hello,
Basically the Application and Device Control Policy - Enables all the Protection which it carries. Providing the Maximum Protection.
If you want to Disable the same OR View it, Please check the following:
1) Login to the SEPM
2) Go to Application and Device Conrtol Policy and check if the Protect client files and registry keys is checked. If yes, make sure you uncheck the same.
3) Inregards to the IE issue, Check if you have any Intrusion Prevention Policy applied for IE, if any please make sure you remove the same.
Basically, When you apply this Policy; it checks all the check boxes shown above.
When Reading the Article " Hardening Symantec Endpoint Protection with an Application and Device Control Policy to increase security" ----
http://www.symantec.com/docs/TECH132337
These policies are for Better Security ---
1. Protects Symantec Endpoint Protection files and registry keys
Numerous threats attack Symantec Endpoint Protection in an attempt to gain access to protected machines. This rule set protects Symantec Endpoint Protection’s registry keys, files, processes and services from outside interference. Enabling this rule could interfere with any non-Symantec products that attempt to integrate with Symantec Endpoint Protection.
2. Prevents Internet Explorer and Firefox from writing code to WINDIR and Program Files, including subdirectories/ Prevents Internet Explorer from launching code except in WINDIR and Program Files
Internet Explorer drive by downloads is a very common threat vector. This rule prevents many such attacks by blocking access to locations typically written to by threats. Users also will be unable to download executables to WINDIR or anywhere in Program Files, but can continue to download to the Desktop, My Documents, or Downloads directories.
Exclusions are already in place for Windows Updates.
Extra care should be used when rolling out this rule. It has been included in this set due to its power to block threats, but it has consequences that should be considered. First, this rule can interfere with new ActiveX controls, which are effectively code Internet Explorer downloads and runs. Second, users will no longer be able to Run downloaded executables directly from the browser. Instead they will be required to Save As to disk before running.
3. Prevents IE from running commonly exploited system code such as wscript, telnet, mshta, cmd, ftp, rundll32, reg, and at.
This rule blocks some common ways threats run after triggering a browser exploit. Legitimate use of these programs by browsers is rare.
4. Prevents registration of new browser helper objects.
Browser Helper Objects, also known as BHOs, are commonly used by threats to spy on or interfere with web browsing. This rule is useful if your organization does not allow BHOs or has a pre-installed set of allowed BHOs.
5. Prevents registration of new browser toolbars.
Browser toolbars, like BHOs, are used to spy on or interfere with web browsing. This rule is useful if your organization does not allow browser toolbars or has a pre-installed set of allowed browser toolbars.
I would suggest a must read Article:
How the Application and Device Control Hardening policy works
http://www.symantec.com/docs/TECH132307