Restrictions based on executable name only seems very restrictive, maybe I came in with the wrong mindset. I was looking at this been an SRP like replacement but the inability to do path based rules or default deny all but allowed programs. Been executable name only without a default deny would mean simple executable rename defeats the policy.

Can someone enlighten me, have I just totally missed the point?