Its much easier to Blacklist than it is to Whitelist. Most likely you have an idea of what you don't want the users to run. The way Windows handles this is through Software Restriction Policies in your GPO. Software Restriction Policies can be used for allowing software to run as well as denying it. There are four different methods available to use and they are: Hash rules, Certificate rules, Path rules, and Internet zone rules.
Hash Rules rules uses a MD5 or SHA-1 hash of a file in its match. This can be a uphill battle. Trying to block something like pwdump using just a hash rule is going to result in LOTS of entries, for each different version of pwdump. And when a new version comes out you need to add that as well.
Path Rules are based on the location of the file on the file system. So you could restrict "\program files\aol\aim.exe" for example, but if the user chooses to install it into "\myapps\aol\aim.exe" it would be allowed. You can use wildcards to cover more directories. It is also possible to use the registry path if the software has a registry entry but you don't know where it will be installed.
Certificate rules are useful for software that includes a certificate. Which means mostly commercial software. You could build up a list of Certs that are allowed to run on your systems and deny everything else.
Internet Zone Rules only apply to Windows Installer Packages. I've never used this so I can't comment on it much.
A proper GPO will use several of these rules to cover everything. Restricting software requires you to really think of what you want to prevent to get it right. Even then, its probably still not right. Technet has some good articles on using Software Restriction Policies, and I'm sure there are other good docs off Microsoft's site found through your favorite search engine.
Good Luck!