We know that, in the D+ part, "Allow" has higher priority to "Block", So we have difficulty to write a rule like that: Allow explorer.exe to execute all exe of systemroot except cmd.exe.
However, if we can set up similar rules like Firewall Global Policy, it's easy. In fact, we can write a rule:
just put "block cmd.exe" above "allow %systemroot%\*", it's convinient to solve the problem.
Can we get improvement next version of CIS?