I got some very useful advice including the regex expression and links in this thread. I thought I would share my experience with the ADC policy in case someone decides to pursue this path.
First of all, thanks to SMLatCST I can pinpoint the folders and subfolder level using Regex.
The challenge I ran into when blocking exes in "appdata" is the policy started blocking legitimate installs. For example, java, Firefox and Adobe updates started to fail. So I was watching the Application logs for blocked traffic and was starting to add exceptions. However, I suspect that it will take a while to get all of the necessary exceptions in place to make the policy block bad stuff but allow good stuff to run. I also have been looking at detected infections to see where the exes are running, using that information to tune the policy. There is definitely a give and take with this.
So far I have not received complaints, but some service desk personnel have been logging tickets with me to create some exceptions so that they can install tools and apps. I have not received any reports of performance issues when the policy was pushed out.
Finally, I want to second the comment from Mick2009 about IPS. I think you take alot of the power away from SEP without the IPS policy enabled. In a previous job, I ran SEP 11 without IPS for awhile, and infection rates were really high. I had turned it off because IPS used to have a negative performance impact on many applications and network printing. Eventually that was resolved and when I turned IPS back on, the rebuild rate at the service desk due to infection dropped by 90%.
BB