Can I avoid automatic allow for access rights?

I am currently using CIS 3.9, and waiting for 3.11, because of the D+ bugs I see at

When I used CFP 3.0, I used paranoid mode, but I was very unhappy with all the pop-ups. With CIS 3.9, I have been using clean PC mode. To avoid lots of pop-ups, I add all executables to My Own Safe Files when I install a new application. I scan all installers at before I trust them. Basically D+ is protecting against running executables that I didn’t install.

My problem is dealing with internet-facing applications that are treated as safe, but which can do unsafe things after picking up malware on the internet. Let’s focus on Firefox as an example. In safe mode, D+ allows Firefox.exe all access rights except “Run an executable”, “Protected Registry Keys” and “Protected Files/Folders”, which are set to Ask. To improve security, I set all other access rights to Ask (hitting apply, apply, apply), confirmed that these settings persist, and then execute Firefox. When I looked at the access rights again, all the Ask settings returned to the default of Allow.

How do I work around D+ automatically changing access rights to Allow while continuing to use clean PC mode? Does this D+ behavior exist in CIS 3.10? Is it a bug?

I notice that the list of Allowed Applications under “Run an executable” access rights for Firefox is about 200 long, mostly from the Windows\system32\ folder, and I only allowed about 20. Which of my settings causes D+ to automatically add this bunch of allowed executables to Firefox?