This can be done. Create a file group with just explorer.exe in it and block cmd.exe. You will also have an individual set of rules for explorer.exe. Make sure this is below the group rule in computer security policy and allow %systemroot%\* in it. The block rule now has priority as it comes first.
File groups are great for global or complicated rules.
Thanks for your answer. what you say certainly solve the problem, but i think what i suggest is more convinient than yours, isn't it?