John,
To get closest to what you are looking for, you will likely want to utilize the "Strict" policy. This policy has been created to mostly allow for normal Windows operations. Any applications that fall outside of the normal, pre-defined operations of Windows will fall to a standard privilege process set, which is highly restricted in the "Strict" policy. The "Core" policy is considerably less restrictive to this standard privilege process set. The "Core" is easier to implement as it requires less tuning to function properly with 3rd party apps.
Understand that when I indicate normal Windows operations will be allowed to function, I am strictly talking Windows related activities. Any 3rd party applications, and even many non-core Windows options will be restricted pending your tuning. Also, custom monitoring, maintenance scripts which you run will likely all need to be tuned as well. This is not an insignificant undertaking, but the security achieved from a properly tuned policy is far greater than what can be obtained from other trust-based security products. Please feel free to reach out again if you need/want further assistance!
Chris Tyrrell
Compliance Practice Lead
Conventus Corp
ctyrrell@conventus-sei.com