In tip 0362, I described how to configure the RestrictRun registry key.
This can be implemented by Group Policy at Run only allowed Windows applications in User Configuration\Administrative Templates\System.
This policy only prevents users from running programs that are started by the Windows Explorer process.
You can also implement Don't run specified Windows applications, in User Configuration\Administrative Templates\System.
When the Don't run specified Windows applications is Not Configured, you can implement it in the registry by setting the DisallowRun value name, a REG_DWORD data type, to 1, at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and by adding entries to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun sub-key, just like you added entries to the RestrictRun sub-key.