I don't want any standard user to run any application expect those which are already installed, so I created a path rule in software restriction policy and disallowed all applications (.exe, .msi & .msp) except those which are present in windows & program files folder. But problem is that some applications (like Matlab) require access to PROGRAM DATA (like Java) and APP DATA FOLDER which contain many executables. If I allow those folders, standard users are able to copy any portable application into those folder & run it from there. That means users are able to write into those folders.
However, I can create path rule for all executables present in those folders and allow them, but they too many of them, so its not convenient to create rules one by one.
Also I have personal folder in Local Drive (D) which contains some useful portable applications, so I want to allow that folder and at same time make it write protected so that standard user cannot copy any other application and run it at their own will.
Windows 7 Ultimate 32 bit service pack 1