Restricting trusted files - OS lockup


When installing CIS6 on a fresh windows 7 installation how should I configure CIS, if I want a setup that will only trust the operating system, but not any application installed afterwards? I’d like to manually add trusted applications - no new programs should be added to trusted list automatically (unless part of the OS and/or drivers like radeon gfx).

I already managed to lockup the whole windows 7 installation by disabling and removing all trusted files from the list. How to configure it so that the critical operating system files (including drivers) are always allowed (don’t cause CIS HIPS alerts)? This would be a huge list of files I take it.

Can I use trusted vendors list for this purpose?