Windows - Software restriction policy to block exe files in all subdirectories

As per Microsoft's guidance on GPO Software Restriction:

http://technet.microsoft.com/en-us/library/bb457006.aspx

Path Rules

A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported.

Using Environment Variables in Path Rules.

A path rule can use environment variables. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %WINDIR%) allows a rule to adapt to a particular user's environment.

Important: Environment variables are not protected by access control lists (ACL). If users can start a command prompt they can redefine an environment variable to a path of their choosing.

Using Wildcards in Path Rules. A path rule can incorporate the '?' and '*' wildcards, allowing rules such as "*.vbs" to match all Visual Basic® Script files. Some examples:

•"\\DC-??\login$" matches \\DC-01\login$, \\DC-02\login$

•"*\Windows" matches C:\Windows, D:\Windows, E:\Windows

•"c:\win*" matches c:\winnt, c:\windows, c:\windir

So since a user can just redefine where %APPDATA% points to, consider using the APPDATA environment variable in your path rule, instead of the actual fully-qualified file system path.

More documentation:

The following examples show instances of applying environment variables to a path rule:

• “%UserProfile%” matches C:\Documents and Settings\User and all subfolders under this directory.

• “%ProgramFiles%\Application” matches C:\Program Files\Application and all subfolders under this directory.