Run only allowed Windows applications
User Configuration\Administrative Templates\System
Limits the Windows programs that users have permission to run on the computer.
If you enable this policy, users can only run programs that you add to the List of Allowed Applications in this policy.
This policy only prevents users from running programs that are started by the Windows Explorer process. It does not prevent users from running programs such as Task Manager, which are started by the system process or by other processes. Also, if users have access to the command prompt, Cmd.exe, this policy does not prevent them from starting programs in the command window that they are not permitted to start by using Windows Explorer.
When both the Run only allowed Windows applications policy and the Don't run specified Windows applications policy are enabled, they are both applied. Users can only run the programs listed in the Run only allowed Windows applications policy. However, if a program in that list is prohibited by the Don't run specified Windows applications policy, it does not run.