In case you don't get an answer quickly, have you looked on the Spiceworks forum?

"as the user only has to unpack an e-mail attachment into its own directory to be able to execute a file." - The link you provided indicated that %AppData%\*\*.exe would block the executable in any subfolder within %AppData%. It might be easier to configure which executable the user CAN run, and then disallow any executable, that isn't one of those. – Ramhound – 2019-11-19T22:08:15.317

@Ramhound, actually, I haven't been able to reproduce this, however, I am certain that this approach will only affect direct subfolders, if anything, meaning it will block %APPDATA%\a\ and %APPDATA%\b, but not %APPDATA%\a\c, so it's ineffective against newly created folders. – Prototype700 – 2019-11-19T22:42:41.093

@Prototype700 - It is trivial to prevent a user from creating new folders in the %AppData% directory. If you have not been able to reproduce your issue, what exactly is your question, I am confused by your last statement. – Ramhound – 2019-11-19T22:46:39.600

@Ramhound, in this particular case, it's actually not (only) the %APPDATA% directory that should be prevented running executables from, but a whole partition tree (D:). The user keeps downloads and documents there. He/she can't and should not be prevented from creating subfolders on the partition, because files need to be managed, however they should not be able to execute binary files (at all) there. The C:\ drive access is already restricted, so that is the only place they could (accidentally) run malicious binaries from. – Prototype700 – 2019-11-19T22:52:56.170