Out of four possible states for data execution prevention, this is the second weakest.
DEP, Data execution prevention is hardware control, where the processor will not allow execution of some bytes, if they are in a location that was marked as DATA, rather than EXECUTABLE.
Whenever you read about a security patch for a “buffer overun”, know that DEP could have helped to prevent this problem.
Unfortunately, many computer programs are poorly written and mix data and program instructions in such a way that one can’t use this good security measure. (As far as I know, however, 64bit versions of windows enforce DEP to be on at all times.)
On 32-bit windows platforms, there are 4 possible policies that can be declared. They are, from weakest to strongest:
The default value is opt-in, where DEP will be applied only for those computer programs, which declare that DEP should be used.
Opt-out enables DEP, but allows the program to opt-out.
The other two options are self explanatory, I hope.
On my computer, I changed long time ago to OPTOUT, and (knock on wood), haven’t noticed any misbehaving programs. This means that I managed to raise the security a lot.