A. The ability for administrators to run the blocked application in an elevated command prompt is by design but can be changed. Blocked applications may be needed by administrators, so a rule allowing administrators to run all applications from all paths is added by default (see Figure 1 below).
Figure 1: AppLocker
The way AppLocker works is any application not allowed by a rule is blocked implicitly, but this Allow rule for administrators is what facilitates administrators running any application. Note that an explicit Deny rule of an application still applies to administrators, because an explicit Deny takes precedence over an explicit Allow.
If you want to stop administrators from being able to run any application, you can either delete the rule for administrators or modify it. Open the Group Policy Object that defines the AppLocker rules, and navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Application Control Policies, AppLocker, Executable Rules. Then double-click the BUILTIN\Administrators rule and change as needed.
