An option to allow or block sandboxed applications from running processes

I would like these setting for manually sandboxed applications. I would like this option to prevent drive-by downloads. I know that child processes inherit the restrictions applied on their parent processes, but it is certainly much safer if unknown processes are blocked completely.

I just want that “Run an executable” setting for sandboxed applications.