Hi NewmanIT and everyone,
Since W2K3 you ca create a GPO to prevent CMD.exe run.
To do so, create a new/edit an existing one and go to:
user configuration / administrative templates / system
Enable <b>Don’t Run Specified Windows Applications</b>.
Click Show -> Add and type cmd.exe
Don’t forget to apply this GPO to the OU in which are the users you want to prevent cmd.exe access
After finishing, do a gpupdate /force in the client you want to test and verify that a regular user cannot execute cmd.exe.