My understanding is that this siganture will block all executables except the ones in the exception rules.
Not all executables will be blocked. Any exectuables listed in the Trusted Applications policy will be allowed to run. Any other exectuables that you need to allow to run, you should create an IPS exception for those exectuables and Signature 6011. Also please note Host IPS Best Practices for policy assignments in the Product Guide.
PD22894 - Host Intrusion Prevention 8.0 for ePO 4.5 Product Guide
https://kc.mcafee.com/corporate/index?page=content&id=PD22894
Page 37
Assigning multiple instances of the policy
Assigning one or more instances of the policy to a group or system in the ePolicy Orchestrator
System Tree provides for single policy multi-purpose protection.
The IPS Rules policy and the Trusted Applications policy are multiple-instance policies that can
have more than one instance assigned. A multiple-instance policy can be useful for an IIS
Server, for example, where you might apply a general default policy, a server policy, and an
IIS policy, the latter two configured to specifically target systems running as IIS servers. When
assigning multiple instances, you are assigning a union of all the elements in each instance of
the policy.
NOTE: The McAfee Default policy for both IPS Rules and Trusted Applications are updated when
content is update. McAfee recommends that these two policies always be applied to make sure
protection as up to date as possible.
