Disable the command prompt
User Configuration\Administrative Templates\System
Prevents users from running the interactive command prompt, Cmd.exe. This policy also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this policy and the user tries to open a command window, the system displays a message explaining that a policy prevents the action.
Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services.