Please forget my suggestion above. It won't work properly because there is no exclusion list in the System Lockdown form :-(
The only way I see is to thoroughly create a list of apps that may only run from %programfiles% (fingerprints or app name) and implement them into an Application Control rule.
The condition of this rule should look like this:
As you see, you have to insert the processes that may only run from %programfiles% (either fingerprints or process name). Exclude the %PROGRAMFILES% folders and select "Block access" in the Action tab. This way the apps will be blocked except they are in the %programfiles% folders.
On the rule level ("Rule 1") don't forget to insert an asterisk "*" (without quotes).
I admit this is not an elegant solution, and it requires some maintenance.