That's the thing, a good GPO wouldn't allow that save since it requires admin priv to access User, Windows, ProgamData, Program Files, and Program Files (x86). Kinda like the first thing you linked which is using an exe to grant system level priv, the exe would be wiped being malicious or blocked from download. Both require system level access or a weak GPO. I'm relatively an amatuer when it comes to group policy creation admittedly and I had my kids machines locked down under my own domain and AD in my own house. I tried everything I could think of as my work arounds to my own setup on their machines and nothing worked. My own DNS policies blocked the rest. I'd hope experienced admins working large networks could muster this, as at Lockheed I couldn't do squat once they ditched Jira and went with a good GPO. Relying totally on systems like Jira means you're only blocking things that require admin which there definitely are workarounds for. Locking profiles down by group policy and local access is a different ball park. Mind you, I did AD, domain, and DNS at my own house spun up from scratch simply as education to further my career. Only took me a couple hours and pros should be able to do it in their sleep, especially 6 figure salaried pros.
A secondary preventative measure is a good IPS and honeypot. That previous situation was just an experiment for education, but for regular use I use OpenDNS to block what I don't want my kids getting to on top of group based blocks provided by Ubiquiti. I have my kids VLAN operating under a Honeypot and it along with IPS blocks a lot of localized malicious content that finds its way through DNS blocks. Like stupid Robux surveys.
