COMMAND

    IBM ClientAccess

SYSTEMS AFFECTED

    Win systems with IBM ClientAccess (access to AS400)

PROBLEM

    Paul  Culmsee  posted  following.   IBM's  Client  Access software
    allows you  to execute  programs even  if restricted  via a system
    policy.  If you  create a single account  and set a system  policy
    that ran the client access  software instead of explorer, also  do
    the  other  usual  things  like  disable  task  manager,  registry
    editing, even  to the  point of  allowing ONLY  clientaccess to be
    run and no other applications whatsoever - won't help you.

    In  ClientAccess,  you  have  the  ability  to  modify the default
    toolbar and you have no way of disabling this.  By right  clicking
    on the toolbar and choosing add item, you can add the path to  any
    executable on the machine and  Client Access will add the  toolbar
    item.   Clicking  on  the  item  will  execute the application, no
    matter how restricted your system policy is.

SOLUTION

    IBM have reproduced the problem and it will require a patch.