Please can we have an “ask” column in the exceptions for computer security policy rules.
You could then have a better default deny rules. For example in all applications group you could add a rule to “run an executable” to block * but “ask” for c:\program files* and c:\windows*. At the moment you would have to allow these two directories and so allow malware in these directories to run.