Application Control has changed from 2016 version.
Trusted Application Mode is not absolute default-deny. Programs can still be executed on the system based upon a local-cloud algorithm. Most of what can\cannot be executed is based upon the KSN lookup function. In short, TAM is restricted default-allow. The default restrictions are sufficient\insufficient based upon your point of view.
You can modify the default Low Restricted policies to much more strict.
Implicit in the way Kaspersky products work, if you don't want programs to be installed or run on the system, then don't download them and install\execute them. That's essentially implicit in any default-allow protection model. Default-allow is not going to protect a user 100 % - who is willing to gamble their system security by executing unknown\untrusted files on their system.
In KIS 2016, the user could define to which File Group an unknown\untrusted file would be assigned. For example, Untrusted. It was almost default-deny, except for digitally signed files.
In KIS 2017, the file is auto-assigned to a File Group based upon a local-cloud (KSN) algorithm.
The handling of scripts has changed as well. For example, powershell scripts (*.ps1) used to be blocked based upon configuration, but now they are not.
To stop KIS from auto-assigning files to groups - if I recall correctly, you can disable KSN cloud lookup - and assign files manually to file groups. You can ask
@harlan4096 to confirm, but disabling "Trust digitally signed files" and disabling KSN lookup can result in some unpleasant, unexpected behaviors.
Any known safe files that are assigned to Low or High Restricted file group should be moved to the Trusted group - otherwise, if the user disables "Make decisions automatically" (= interactive mode) - it will create a flurry of HIPS alerts for any Low Restricted group program upon execution.
Obviously, any know safe files that are assigned to the Untrusted group will be blocked - and the user will need to assign to a group with execution rights. If you know it is safe, then add it to Trusted.