While I’ve typically seen this used primarily in TAP rules, one option to explore might be the BeyondTrust Zone Identifier application criteria:

Matches on the BeyondTrust Zone Identifier tag, where present. If an Alternate Data Stream (ADS) tag is applied by the browser, then also applies a BeyondTrust Zone Identifier tag to the file. The BeyondTrust Zone Identifier tag can be used as matching criteria if required.

To explain: the Defendpoint service sets ADS tags for files downloaded via a browser -- more specifically, we set two separate tags:

1. PG$Secure
2. Avecto.Zone.Identifier

#1 is used in reference to the Source URL application definition criteria, whereas #2 is the same mark of the web added by Windows via the “Zone.Identifier” tag, and is used in the BeyondTrust Zone Identifier app definition criteria.

The “BeyondTrust Zone Identifier” criteria check to see whether the ADS tag exists or not; if the browser applied an ADS tag to a file originally, then you can leverage that as matching criteria with the BT Zone Identifier since it will persist (unless it is removed from the filesystem directly, or if the file is moved to a filesystem which doesn’t support ADS).

Thanks for the help. Also, can you help how to block the installation of downloaded app, means block the installation of any application. User should not install application on their own and support team should install the application.

​@Yuvaraj N, this thread may be a good read through: Block the installation of App 'A', but allow it to run if it is installed via Intune or the Company Portal. | Community

Specifically this post:

The first would be to use default-deny allowlisting - which will prevent users from running any unprivileged applications they have introduced.  This is part of the QuickStart template and combines an allowlist with an ‘Any Application’ catch all rule which is where you apply a block or exception message.  If you have deployed QuickStart, you may just be able to adjust your rules to enforce this - or you may wish to use the configuration as a reference to implement the same settings if you are using a custom policy. 

In other words: if the goal is to prevent any unapproved software from being introduced by your end users, you may want to leverage the Quick Start policy approach where we can define an ‘allow list’ while maintaining the default ‘Any Application’ catch all with a block message applied. This way, if any user attempts to elevate/install an application that is not explicitly defined in your policy, they will eventually trigger that catch all rule, catching the execution attempt.