Hi,
In non-domain environment you can create software restriction policy for
cmd.exe and command.com. You can do it in Group Policy.
Open Group policy -> expand Computer Configuration -> Security Settings ->
Software Restriction Policies! Right click additional rule and my suggestion
is Hash rule. It is most reliable but it is still possible to get around it.
E.g. applying service pack might change e.g. cmd.exe. This will most likely
change the hash and users will be able to run cmd.exe command.
In domain environment you can e.g. change permission on file and give only
admins e.g. full control and remove all other users and groups...
Open Group policy -> expand Computer Configuration -> Security Settings ->
File System. Add file from c:\windows\system32\cmd.exe and select who has
any rights on it...
Good luck