We use two GPOs to stop executables from running in areas that virii tend to use. One GPO for XP and one for Vista and newer.
Are those areas %appdata% and %temp%? That's what I have for now and I've started to try out %userprofile% as well and am testing at the moment.
Cheers
Steve