For example, when a user double-clicks 'actually-a-malicious-exe.txt' - does AppLocker classify by content actions ("Wait a minute, this is trying to launch a process"), or solely by file extension? I've seen SRP catch such deception, but I haven't found anything detailing exactly how AppLocker responds to this scenario.
How does AppLocker evaluate child processes for applications that do NOT specify LOAD_IGNORE_CODE_AUTHZ_LEVEL or SANDBOX_INERT?