Elevation with Executables, Scripts, Commands

cmd.exe

Any program can be executed from the command line in a CMD.EXE console window. If the program being run is also a console program then it will share the same console window for its input and output. GUI programs run from a console window will "detach" and run on the desktop in their own GUI window as they aren't tied to the console input/output streams.

External commands typically associated with CMD.EXE are nothing more than other console mode programs, such as XCOPY.EXE, ICACLS.EXE, etc. External commands can be selectively elevated via policy but internal commands, such as DEL and COPY, are executed at whatever level of elevation that instance of CMD.EXE currently has.

Internal commands supported by CMD.EXE cannot be targeted by policies. A technique that could be useful to restrict internal commands can be to not elevate cmd.exe but instead elevate command lines or read only .bat scripts.

You can block executables, but not the commands within an executable.

Refer to the following references regarding internal vs external commands on Windows NT.

How-to: Internal commands

An A-Z Index of Windows CMD commands - SS64

Powershell

Powershell internal functions cannot be easily restricted. For selective control, instead of elevating Powershell, you can elevate access to particular scripts using a command line filter. The scripts should be placed in a read only folder.