To prevent this, remove the Read (R) permission (retain the Execute (X) permission) from the Everyone Group. If the file can not be read, they can't insert an object, yet the Execute permission still allows Explorer to function as the shell.
In Explorer, highlight %SystemRoot%\Explorer.exe, right-click, and select Properties / Security / Permissions. Double-click the Everyone Group and clear the Read(R) attribute in the Special Access dialog box. You can also use XCACLS from the
xcacls.exe explorer.exe /t /e /p everyone:x