Prevent that unknown executables are started in Windows

[Osiris]

Windows does not offer a way to prevent users from accessing executable files. While NTFS does offer a rights-system it is only valid of NTFS hard drives and does not come into effect if a user plugs in a USB drive, CD or floppy disk. Most computers get infected nowadays by executing email attachments followed by file downloads and Windows security holes.
Trust No Exe is a Windows security software that prevents any unknown executable from being started in Windows. It features a whitelist and blacklist and requires some time to fine tune the list so that no trusted programs get blocked from being started. The concept behind Trust No Exe is that it works as a content filter filtering all executable files even if they come with an unknown extension.

Trust-no-exe hooks into the operating systems routines for creating a process and loading it into memory. If the operating system attempts to load any compiled code into memory ready to give it execution as a process or thread, trust-no-exe will jump on it and prevent the code from being loaded into memory. Therefore trust-no-one doesn’t rely on the file extension and can not be easily fooled.

The Windows folder and the Program Files folder is added by default because these contain files that need to be accessible for Windows to start. The next steps require some time, you should add additional locations that contain executables that are trustworthy.
A good tip that I found in the Trust no Exe manual was to set read only rights for folders that do not require write rights to prevent malicious code from slipping in one of those trusted folders where it can be executed.
It does catch email attachments and supports networks and cloning settings as well. Strange that I never heard about this gem before.