For such simple-style block, I'd think about using the built-in feature of Windows to do this instead of SEP. SEP's Application and Device Control works well, but the block you're wanting would probably be easier in Group Policy then in SEP. Plus, then if your users or malware somehow disables SEP, the Group Policy block would still be in effect.
This site covers it in detail,
technet.microsoft.com/en-us/library/bb457006.aspx, but basically, you'd enable the Software Restriction Policy using a path rule and allow the C: drive. Keep in mind, the Group Policy software restriction policy allows both blacklisting and whitelisting. When whitelisting, you'll also need to allow any network-based paths that applications might run from (like logon scripts or software deployment shares).
I'll leave it to other people here to talk about how to do this in SEP.