In the NT family the way something similar is accomplished
is to manage the NTFS permissions of the executable.
For example, if iexplorer.exe no longer had a Read/Execute
grant to Users, but instead to YourCustomGroup, then an account
could run it only if it were a member of YourCustomGroup.
This does not cause a prompt for a password, as that was done
when the account logged in, but it does prevent accounts without
and NTFS grant from using the executable.
