[koheripbal]

There are two important reasons, and one medium reason...

1. These rules are usually distributed via GPO, and the AD system it uses may or may not have a useful and/or well maintained notion of who is a "developer". At best it's done at the departmental level, which isn't that great - since a lot of IT/dev people work in all departments.

2. Whenever you make an exception to a rule that restricts behavior, it's always the worst actors that game that system to get the exception. It's exactly that one VP who thinks he's tech "enough" to handle the risk that'll figure out how to get the exception for himself - he's also the one to run a torrent client to download a free copy of "PDF Writer" or a malicious keylogger.

3. GPOs can be complex to apply - errors happen. The simpler you have your rules, the less likely there is an error that leaves core/critical systems unprotected.

[ryandrake]

I worked for a large multinational company that everyone here has heard of, whose development machine policy was pretty much: Order (through corp) whatever machine you need to get your work done. You have root. Install what you need to work. We hired you because you are a smart, responsible grown-up and we trust you not to fuck up our IT systems. Don't fuck up our IT systems. And amazingly, it works!

[koheripbal]

If the company is in tech and is big enough, they can manage a process like that. Most companies are not multinational tech companies.