HOTSPOT
Your network contains an Active Directory domain named contoso.com. All client computers run Windows 8.
An administrator creates an application control policy and links the policy to an organizational unit (OU) named
OU1. The application control policy contains several deny rules. The deny rules apply to the Everyone group.
You need to prevent users from running the denied application.
What should you configure?
To answer, select the appropriate object in the answer area.
Hot Area:

Answer:

Explanation:
To enable the Enforce rules enforcement setting by using the Local Security Policy snap-in
1. Click Start, type secpol.msc in the Search programs and files box, and then press ENTER.2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then
click Yes.
3. In the console tree, double-click Application Control Policies, right-click AppLocker, and then click Properties.
4. On the Enforcement tab, select the Configured check box for the rule collection that you want to enforce, and
then verify that Enforce rules is selected in the list for that rule collection.
5. Repeat step 4 to configure the enforcement setting to Enforce rules for additional rule collections.
6. Click OK.
You should apply an application control policy for executable rules. When AppLocker policies from various
GPOs are merged, both the rules and the enforcement modes are merged. The most similar Group Policy
setting is used for the enforcement mode, and all rules from linked GPOs are applied.

Exam Ref 70-410: Installing and Configuring Windows Server 2012 R2, Chapter 6: Create and Manage Group
Policy, Objective 6.2: Local Users and Groups, p. 329.
http://technet.microsoft.com/en-us/library/dd759115.aspx