AppLocker, which is built in to Windows 7 Enterprise and later, prevents unknown programs from running unless installed or otherwise pre-cleared by an admin first. This is increasingly necessary because even antivirus companies are publicly saying that antivirus provides little protection against current malware. Rather than attempt to enumerate what's bad, application whitelisting technologies like AppLocker enumerate what's good, and deny everything else. This turns out to be less difficult than it sounds.
If a program won't run and you are directed to this page
...
The Information Security Officer should will periodically review a report reports on such overrides and as appropriate, add them to the centrally managed policy. . This information is gathered automatically; you do not need to report them to the helpdesk or anyone else.
How this policy is applied: mostly report-only
...