The Disable the command prompt Group Policy, at User Configuration\Administrative Templates\System, is used to manage who has access to the CMD prompt.
If the policy is left Not configured, you can use Regedt32 to navigate to:
On the Edit menu, Add Value name DisableCMD, as a REG_DWORD data type.
If the DisableCMD value name is missing from the registry, the user can run CMD.exe and batch files.
If the data value is set to 1, the user can NOT run CMD.exe, but the system can run batch files while the user is logged on.
If the data value is set to 2, the user can NOT run CMD.exe, and batch files can NOT be run on the system while the user is logged on.
NOTE: If add DisableCMD, you must also navigate to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Policies\Microsoft\Windows\System
and add DisableCMD there also.