We know that, in the D+ part, "Allow" has higher priority to "Block", So we have difficulty to write a rule like that: Allow explorer.exe to execute all exe of systemroot except cmd.exe.
However, if we can set up similar rules like Firewall Global Policy, it's easy. In fact, we can write a rule:
Block %windir%\system32\cmd.exe
Allow %systemroot%\*
just put "block cmd.exe" above "allow %systemroot%\*", it's convinient to solve the problem.
Can we get improvement next version of CIS?
This can be done. Create a file group with just explorer.exe in it and block cmd.exe. You will also have an individual set of rules for explorer.exe. Make sure this is below the group rule in computer security policy and allow %systemroot%* in it. The block rule now has priority as it comes first.
File groups are great for global or complicated rules.
Thanks for your answer. what you say certainly solve the problem, but i think what i suggest is more convinient than yours, isn’t it?
Most of my rules are blocking whole directories with the odd allowed exception and that would be harder to do your way round. I block execution of everything under c:\users and c:\appdata. This means nothing can be executed in any directory where a limited user can write making the system very secure. There may be exceptions in these directories that need to be run.
It might be possible to let all single program rules have precedence over wildcard rules but this might be more complicated to understand and people might get it wrong.