Is there any way to tell Windows (XP and above) not to execute files (*.exe files), which are present in drives/folders other than certain folders, that I mention? In short I want executables from only a 'whitelist' to be executed.
I think this is better than asking users not to run any executables from whatever garbage CDs they bring from home.
you want Software Restriction Policies. This underutilized feature of modern Windows allows the administrator to allow or restrict executables from running based on the path or even based on a cryptographic signature. By the way, you want more than just EXE's. Software Restriction Policies has a list of 30 or 40 additional types of files that you need to restrict, such as CMD and SCR, Screen savers. In addition, you can block DLL's.
I would rate its effectiveness as substantially better than anti-virus.Also, it's difficult to educate users about social engineering attacks that modern malware uses, such as getting a user to click on ListenToThisMusic.mp3.exe.
I'd be careful with this. You won't be able to 100% lock everything down and you will make the machines nearly impossible for users to use. You should look at educating your users and putting process, policy and education in place. You need to find the right BALANCE between restricting actions and end user productivity.
I see a LOT of wasted $$$ in companies where they make users lives absolute hell just to make things a little bit easier for the support guys.
You can whitelist using software restriction policies in GPOs but I'm not sure how effective it is. I'd bet a small donut on it working with most non-malicious users in most places but I wouldn't bet my career on it working anywhere and I wouldn't count on it in places where I expected it to come under attack (e.g. educational environment).
You can certainly block code from running from certain devices and areas of the disk with a combination of ACLs and Software Restrictions and that is a useful security tool, but I'd make it a small part of a security policy, not the cornerstone of one.
You could use Cisco Security Agent with a rule that (after a "watch only" period for training) blocks any executable that hasn't run before.
You can allow executables from certain directories if you want.
Its much easier to Blacklist than it is to Whitelist. Most likely you have an idea of what you don't want the users to run. The way Windows handles this is through Software Restriction Policies in your GPO. Software Restriction Policies can be used for allowing software to run as well as denying it. There are four different methods available to use and they are: Hash rules, Certificate rules, Path rules, and Internet zone rules.
Hash Rules rules uses a MD5 or SHA-1 hash of a file in its match. This can be a uphill battle. Trying to block something like pwdump using just a hash rule is going to result in LOTS of entries, for each different version of pwdump. And when a new version comes out you need to add that as well.
Path Rules are based on the location of the file on the file system. So you could restrict "\program files\aol\aim.exe" for example, but if the user chooses to install it into "\myapps\aol\aim.exe" it would be allowed. You can use wildcards to cover more directories. It is also possible to use the registry path if the software has a registry entry but you don't know where it will be installed.
Certificate rules are useful for software that includes a certificate. Which means mostly commercial software. You could build up a list of Certs that are allowed to run on your systems and deny everything else.
Internet Zone Rules only apply to Windows Installer Packages. I've never used this so I can't comment on it much.
A proper GPO will use several of these rules to cover everything. Restricting software requires you to really think of what you want to prevent to get it right. Even then, its probably still not right. Technet has some good articles on using Software Restriction Policies, and I'm sure there are other good docs off Microsoft's site found through your favorite search engine.
Good Luck!