There are a couple of policies you may configure to limit what executables may be elevated by User Account Control (UAC).

1) Security Settings > Local Policies > Security Options > User Account Control: Only elevate executables that are signed and validated

2) Security Settings > Local Policies > Security Options > User Account Control: Only elevate UIAccess applications that are installed in secure locations

Configuring the “User Account Control: Only elevate executables that are signed and validated“ policy will enforce PKI signature checks on any interactive application that requests elevation of privilege. You can further control an allowed list of applications by managing the population of certificates in the local computers Trusted Publisher Store.

Enabled by default, the “User Account Control: Only elevate UIAccess applications that are installed in secure locations“ policy enforces the PKI certificate chain validation of a given executable before it is permitted to run if enabled.

This security setting will enforce the requirement that applications that request execution with a UIAccess integrity level (whom mark UIAccess=true in their application manifest), must reside in a secure location on the file system. Secure locations are limited to the following directories:

%PROGRAMFILES%\ (its root and all subdirectories)
%WINDIR%\System32

For 64-bit versions of Windows Vista, this also includes the x86 program files folder (…\Program Files (x86)) including subdirectories for 64 bit versions of Windows.

Windows always enforces a PKI signature check on any interactive application that requests execution with UIAccess integrity no matter what this policy setting. This policy simply provides further enforcement regarding the location of such applications.