Can you actually restrict where programs are executed from on later versions of Windows?

I think Software Restriction Policies, introduced with Windows XP and Windows Server 2003 are a valid instrument to prevent unwanted programs from running.

If the Path rules you describe are not secure enough in your opinion, you could always add hash rules (cryptographic "fingerprints" of the executables that remain the same regardless of the file name or location.) and certificates.

The only way (that I know) to bypass Software Restriction Policies in Windows XP, is using a secondary logon account (start with "Run As").

Coming in Windows 7 Enterprise & Server 2008 R2: AppLocker

I saw a demo of this at a recent TechNet Conference. You can restrict / allow based on the folowing characteristics of the executable:

-Path Rules

-Hash Rules

-Publisher Rules

Using the above rules together, you can "ensure that programs can't be executed from %TEMP%, that programs couldn't just be launched from cmd or start commands, or from within other programs?"

More info here.

Anapologetos

A public lab at our university apparently uses this policy in a Vista environment, but it doesn't seem to be completely restricted. I'm not sure what the rules are. Portable putty works from my desktop, for instance. One time I wanted to run the simple lame executable from my desktop to encode a wave file and it wouldn't run.

I am personally not a big fan, but McAfee Enterprise 8.5i (and prob others) will allow you to easily create custom rules that restrict where .exe's fire off from.