Show confirmation popup before running any downloaded program in Windows 10

Show confirmation popup before running any downloaded program in Windows 10

I often download files either using my browser or by torrenting. Few times, I encountered an attack where the torrented file was called something like movie.mp4.lnk and the target was set to run a powershell script using cmd.exe /c "powershell.exe -ExecutionPolicy Bypass ...". Fortunately, I always noticed the extension before running it, but I may not always be so lucky.

I'd like to configure Windows (I'm using Windows 10 Education) to show a confirmation popup whenever I attempt to run any potentially malicious file (exe, msi, cmd, bat and ps1 for starters) outside a list of defined folders. I'm comfortable with GPO and powershell, would like to avoid solutions using 3rd party programs if possible.

I already tried to configure AppLocker, but

1. it outright blocks the file, which is usually not what I want, as I often download legitimate programs,
2. for some strange reason, it allows .lnk files with scripts as target.

Ideal scenario:

1. I run notepad.exe, located in C:/Windows/System32, which is whitelisted as a system folder, and it runs without any confirmation.

2. I download a file by torrenting, called awesomeMovie.mp4.exe, to a media folder, maybe D:/Movies/Downloaded. After clicking it, a confirmation dialog pops up, and I have to explicitly click Yes before the program runs. If the file was instead called awesomeMovie.mp4, it opens in my media player without any popup.