Users need to prevent each of their Java applications from seeing the Java in the base.
To implement this you need to add an "isolation rule" to each of the application layers. This must be done by editing the registry. Each layer stores its settings in a registry key similar to the ones below. The exact number on the end of the key name will depend on your exact system.
If you run the command "svscmd.exe enum -v" you will notice that each layer has an entry called "Redirect Locations" which specifies the location of the redirect areas for the read-only and read-write sublayers. You must add the rules to the read-only sublayer. First, create a Multi-String registry value named "IsolationRules" in each of the layers. Each isolation rule occupies a single line in the multi-string, and has a general form of "Processes named x running from layer x are blocked from accessing objects named (x,x,x) found in layer x." The individual fields within the rule are separated with a tab character. (You won't be able to create them directly in regedit, but can create them in notepad and then paste them into regedit.)
The rules that we create for our two layers look like the following:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\FSLX\Parameters\FSL – and the coinciding read-only sublayer folder, for example: