To prevent software running in particular folders you can create a SRP which will block those files.
In order to prevent downloaded files which are executable from running in the default "Downloads" folder and therefore ensuring that users have to make a consious effort to move the file to a suitable location in order to run them, you can configure a Software Restriction Policy (SRP).
For a Local Windows Workstation
First open SECPOL as an administrator
Locate the "Software Restriction Policies" in the tree on the left hand side
Right click on the "Software Restriction Policies" folder and select add "New Software Restriction Policies" if you don't already have one available.
Once you have created the policy (or if one exists already) you need to expand the folder structure to reveal "Security Levels" and "Additional Rules"
Right click on the "Additional Rules" folder and select "New Path Rule"
Create a new rule which sets the path: %userprofile%\Downloads
%userprofile%\Downloads
and ensure that the security level is "Disallowed"
Apply the policy and OK to leave the Policy Editing screen
You will need to refresh your local machine policy now from an Admin Command Prompt
Run "GPUPDATE"
gpupdate
You should now find that no application files will run if the executable file is within the Downloads folder on the workstation.
