/NOEXECUTE This option is only available on 32-bit versions of Windows when running on processors supporting no-execute protection. It enables no-execute protection (also known as Data Execution Protection - DEP), which results in the Memory Manager marking pages containing data as no-execute so that they cannot be executed as code. This can be useful for preventing malicious code from exploiting buffer overflow bugs with unexpected program input in order to execute arbitrary code. No-execute protection is always enabled on 64-bit versions of Windows on processors that support no-execute protection. There are several options you can specify with this switch:
/NOEXECUTE=OPTIN Enables DEP for core system images and those specified in the DEP configuration dialog.
/NOEXECUTE=OPTOUT Enables DEP for all images except those specified in the DEP configuration dialog.
/NOEXECUTE=ALWAYSON Enables DEP on all images.
/NOEXECUTE=ALWAYSOFF Disables DEP.
For reasons known only to Microsoft, OPTIN cannot be selected via a dialog box, this means that DEP would need to be enabled globally and then disabled for any individual applications that fail to behave correctly.
Of course, DEP is only really useful to protect computers from attacks via the internet, so it should to be enabled by default for browsers, etc. but is completely pointless for most other apps.