AppLocker, which is built in to Windows 7 Enterprise and later, prevents can be configured (in "enforcing" mode) to prevent unknown programs from running unless installed or otherwise pre-cleared by an admin first. This is increasingly necessary because even antivirus companies are publicly saying that antivirus provides little protection against current malware. Rather than attempt to enumerate what's bad, application whitelisting technologies like AppLocker enumerate what's good, and deny everything else.
As of spring 2018, three departments are running in enforcing mode: HR, ITS, and BUSO. See /wiki/spaces/itskb/pages/26145761 page for more information on how this is done.
...
What should you do if a program won't run and you are directed to this page?
When a program is blocked by AppLocker, Windows will pop up "Your system administrator has blocked you from running this program" as shown at right. The "More information" link goes to the web page you are reading now.
...