You should allow only process execution. Depending on allowed action, you might not get same alert at a later point. In other words, you should only let explorer.exe launch clt.exe. Afterwards, you block everything.
Auto-Containment: Disabled
HIPS: Safe Mode