PowerShell gives you a number of options regarding execution policy. You use one of the following options with Set-Execution policy:
Restricted – won’t run scripts or profiles. This is the default execution policy
Allsigned – only scripts (and profiles) signed with a trusted certificate can run. This includes anything you create on local machine.
RemoteSigned – Scripts (and profiles) on local drives will run. Scripts downloaded from Internet or from network drives are blocked
Unrestricted – anything runs though you are prompted before a downloaded unsigned script is run. This setting is what’s generally called a bad idea as its too permissive.
Bypass – everything runs without warnings or prompts. In most cases a worse idea than unrestricted
Undefined – removes currently assigned execution policy from the current scope though it won’t work if policy set by GPO
Just to add to the fun you have to think about the scope as well:
Process – only the current PowerShell process
CurrentUser –only the current user
LocalMachine – all users on the computer. This is the default setting.
I normally use RemoteSigned as it offers the best choice between ease of use and security. For an organisation that makes extensive use of PowerShell I’d recommend Allsigned with the code signing certificate only available to a small number of users who were responsible for performing quality assurance checks on the code.