Why there is no “Allow” default action for “Run an executable” in Access rules? It would be useful if you have trusted executable which have to access lots of other executables (Gimp and its plugins for example 
), because otherwise you have to allow every single executable one by one
Simply,
Lets say a malware gets in your pc be accident, The av does not detect it, it injects a command into safe.exe and that safe.exe is now under control of the malware… and safe person can become unsafe within seconds
CG
Setting an application to ‘Windows system application’ will give it the right to start any executable. This is not recommended because of what CGPMaster said and because most applications don’t need these high of privileges.
And that’s exactly why I revised predefined security settings and disabled ability to run *.exe *.com *.bat *.cmd and *.scr files by “Windows system apps”. Lately I’ve got very nice vir on pendrive (using specially crafted autorun.inf file) and I would just slip through if I wouldn’t change that (even if autorun was disabled on all drives).