Block execution of all programs not in c:\program files and c:\windows and for the allowed files raise a pop-up if, and only if, the executable is in my pending files. It would need a user list of allowed applications.
Allow saving of downloaded executables without a pop-up but still get a pop-up if overwriting something in c:\windows or c:\program files even for safe executables.
Force a pop-up from safe executables for dangerous and uncommon things like direct disk access, direct memory access or driver installation.
Allow a program on a CD drive based on a matching hash.
My idea below could help with the first three of these.