I promised myself I wouldn't do it again, only this time because you have a nice nick. Suppose just as an example, as the shortest path of explanation, you choose as a protected folder "C:\Windows". From "Allow an app through Controlled folder access" remove "cmd.exe" and "powershell.exe" if there are here, run script. And say which popup come out? Now you can experiment with all folders and each *.exe If you want to experiment with Windows Defender Sandbox, enable it, restart your PC, disable Controlled folder access and run script. With "disabled" WD attempt to download "eicar" test file, you will say what happens? I ended up here.