Short version:
- You want Mandatory Access Control
- Real-world Industry Best Practices use of MAC is rare
- The use of bastions is the most common widely-accessible alternative
Long version:
The ability to apply fine-grained controls over not only the users but the processes able to access data is generally only found in Mandatory Access Control systems. Such systems are historically used, for example, to ensure that data with differing government/military classification levels are not inappropriately leaked across classification boundaries.
These systems are generally only seen in government, military, and defense contracting where classification is taken very seriously. "Regular" businesses don't support that level of red tape.
There are various implementations of MAC available to you. Cisco Security Agent used to allow you to do exactly that; say that \DOMAINFILES\SECRET STUFF\SUPER SECRETS.xlsx
could only be accessed by C:\Program Files\Microsoft Office\excel.exe
and not C:\Program Files\Microsoft Office\outlook.exe
. Unfortunately, Cisco killed CSA :*
One workaround you'll see is the use of bastion hosts or bastion environments. For example, a company might block access to their bank from regular workstations, but permit it from a bastion host (RDP or Citrix) which finance employees must log into in order to perform sensitive transactions (e.g., wire tens of thousands of dollars). The browser on the bastion is only used for this purpose, and is therefore less likely to become infected with malware that will capture and forward the bank credentials. The user's desktop browser can still be used to browse the Internet, with all the inherent dangers, without fear of exposing the higher-value transactions to malcode.
It might interest you that non-traditional systems are playing with other concepts of access. In Android, for example, each application is installed and run as a different user id, and access across application ids is not granted by default.