The lastest zero-day Windows vulnerability (All versions) can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV.

Chester Wisniewski’s Blog (working at Sophos) describes the use of a GPO to protect you against the exploit. The GPO should disallow the use of executable files that are not on the C: drive. If you need to run executable files from a network drive (old programs?) just specify the specific network paths in the GPO.

The exploit in action