This is called policy software restriction.
Plus NTFS rights are commonplace.
Policy allows you to run applications are located in certain directories such as the Windows folder or ProgrammFiles. When you configured the policy to run application from another location, such as your desktop will not work. And the record the user is permitted only to the home directory - it is the right file system.