The methods that can be used to restrict application execution are many, but for restriction to be granular, security must be built into the application in the form of roles. To be effective and easy to administer, roles should map to actual user job functions.
Even if sophisticated application security is in place, it is wise to remember that the first level of defense may be file, folder, and registry key ACLs. ACLs can prevent someone from running an application at all. If that is your purpose, even if you have more sophisticated tools to configure security, you would be wise to set file ACLs, too. The next chapter will discuss ACLs on files, folder, and registry keys.