Four things I want from defence+ for better security

Block execution of all programs not in c:\program files and c:\windows and for the allowed files raise a pop-up if, and only if, the executable is in my pending files. It would need a user list of allowed applications.

Allow saving of downloaded executables without a pop-up but still get a pop-up if overwriting something in c:\windows or c:\program files even for safe executables.

Force a pop-up from safe executables for dangerous and uncommon things like direct disk access, direct memory access or driver installation.

Allow a program on a CD drive based on a matching hash.

My idea below could help with the first three of these.