Disable the command prompt
User Configuration\Administrative Templates\System
Description
Prevents users from running the interactive command prompt, Cmd.exe. This policy also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this policy and the user tries to open a command window, the system displays a message explaining that a policy prevents the action.
Caution
Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services.