Explain the problem - where do files that can not be downloaded come from. And where to download?

Scripts, actions of persons, modification of files involved in the operation of the OS.
OS somehow determines what it needs to work?

The task is not clear. Protection of system files is in the system "out of the box" - why fence the garden?

you can decide from the reverse - enable protection for the creation / modification of executable files at the driver level. StaffCounter DLP has such a feature (for a fee). In this case, it is impossible to create \ copy \ save new EXE DLL SYS OCX on the disk, etc. all with PE header. (and Windows stops updating because the DLP module does not allow writing PE header ). In general, there will be no new binaries.
+ You also need to "cut" the PowerShell engine by hand yourself.
Theoretically, a dropper can live in memory for a long time and try to save a Packed Payload to disk, and only some script can run it. Well, either if this is a new type of malware that works exclusively in memory - in this case, there are no options for protection by ensuring the Integrity of the OS\Files.
Correct me if I missed something).