While whitelisting does protect against malware and guard against running unauthorized applications such as peer-to-peer programs, it also got in the way of immediate use of applications that employees legitimately needed, Hurt notes. Employees didn't like having to contact the IT department when these kinds of new applications came along.

But Hurt says he has seen whitelisting improve over time. Faronics released a better management console during the past year, and he's convinced whitelisting is a good way to combat malware. "I do believe whitelisting has gained a lot of momentum and it's something we'll return to," Hurt says.

But for now, employee desktops at the credit union are restricted from P2P programs, games, admin tools or using USB devices through the Sophos antimalware and host-based intrusion-prevention system Endpoint Protection, which can blacklist some applications.

Technology services provider Unisys also shares the sentiment that whitelisting can be problematic. According to Rene Head, global theater engagement manager for managed security services at Unisys, the downside is it may end up slowing business efficiency and stifle innovation. But on the plus side, he notes, whitelisting can cut down on help desk calls.

And most importantly, whitelisting can be most useful when it's used on computers such as application servers or in perimeter guards that aren't especially subject to employee whim.