I need to prevent users from using cmd.exe to run applications and batch files. How can I do so?

Cmd.exe is a potential back door to many executable files. You can make a registry change to stop the use of cmd.exe and even stop batch files from running, although you should always be cautious about editing the registry.

Open a registry editor and go to the HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System registry subkey. Add the DisableCMD value (of type REG_DWORD). You can set this value to 1 or 2. A setting of 1 will prevent users from running cmd.exe but will let users run batch files. A setting of 2 will prevent users from using cmd.exe and from running batch files.