...
As soon as the policy is downloaded by an endpoint, the targeted application(s) will have an additional process token set to "Application Classification\InternetApp". You can then create additional application control policies to target that token and deny the process from creating new processes, or you can set ACLS on folders and files to deny the targeted application from having access.
Related Links