Application Classification actions are used to set the user token on processes. After the token is set, standard Windows ACLs will be enforced when the application accesses files, folders, and other system settings. An example of using this application action can be found here Protect against Internet ApplicationsApplication Classification actions restrict applications from modifying certain items and will enforce standard Windows ACLs when the targeted application accesses restricted files, folders, registry keys, or services on a computer. (For details about how to create an Application Classification action, go to Protect against Internet Applications.)