In Application Control Rules, make a distinction between files and folders
One of our customers blocks create, modify or delete with iexplore.exe and explorer.exe by a rule applied to Files and Folders that match *.* with exceptions defined. So these exeptions are allowed to be modified. Read permission is granted.
This makes sense for files. The problem is that this way you are also unable to create folders with a dot in its name. I think it would be good to distinct between files and folders.