Application Classification actions are used to set the user token on processes. After the token is set, actions restrict applications from modifying certain items and will enforce standard Windows ACLs will be enforced when the targeted application accesses restricted files, folders, and other system settings. An example of using this application action can be found in steps 2-4 of Protect against Internet Applications
As soon as the policy is downloaded by an endpoint, the targeted application(s) will have an additional process token set to "Application Classification\InternetApp". You can then create additional application control policies to target that token and deny the process from creating new processes, or you can set ACLS on folders and files to deny the targeted application from having access.
Sort of, when the application classification action is applied then the process it was applied to will have access restrictions to certain resources on a computer. The idea is that you can classify applications as “Internet” or “Email” applications and restrict them from modifying items such as files, folder, registry keys, services, etc. on a computer., registry keys, or services on a computer. (For details about how to create an Application Classification action, go to Protect against Internet Applications.)