Applocker is much better than software restriction policies but it only works on 2008 Server R2 and W7 and beyond.
You do not want to use both applocker and software restriction policies in the same group policy because applocker policies will apply and software restriction policies will be ignored.
To create an applocker policy navigate to:
Computer Configuration => Windows Settings => Security Settings => Application Control Policies => Applocker
Right Click on applocker and select properties.
Select configured Enforce rules and click Ok
Right click on Executable Rules and select Create Default Rules.
With applocker everything is blacklisted except what is specifically allowed.If you do not enable default locations you can stop windows from running.
Right click on Executable Rules again and this time select Automatically Generate Rules
Select the security Group you want this rule to apply to.
Click on Create and Rules are Automatically Generated.
Now to create a specific rule right click on Executable Rules and select Create New Rule.
Choose Allow or Deny and what group you want this rule to apply to and click next
Next you have a selection of Publisher Path or File Hash. Make your selection and click next.
Select a reference file in this case I am using paint.
Then Click Create and the rule appears in the list.
To make applocker work on a client the Application Identity service needs to be started automatically. This can be done with group policy.
Or using a preference.