A secure software execution mechanism appropriate for software circulation is provided. At a sender site 312, an executable file 332 and a data file 334 processed by the executable file are encapsulated. The remaining two files 336 and 338 do not physically exist in a pot 320 at the sender site, and an archive file 320 is transferred to a receiver site 314. At the receiver site 314, intangible files 336 and 338 within a pot may be mapped to a file 354 in a local file system or a file 356 within another pot 350 and processed using a file 334 in a pot or the mapped file 354 or 356 by executing a program 332, in conformity with the specification of a security policy 340.