While I personally love Command Prompt and almost always have an instance of it open in order to launch administrative tools, in general it is true that Command Prompt is a security nightmare. If any user somehow stumbles their way into an elevated Command Prompt window, they can do literally anything inside the Windows operating system. So as a matter of security common sense, if there is not a legitimate need for Command Prompt to be used on workstations in your environment (and I very much doubt that there is), disable it! This is a quick and simple policy, but one that is almost always a great addition to a well-rounded security package:
User Configuration | Policies | Administrative Templates | System | Prevent access to the command prompt:
Set Prevent access to the command prompt to Enabled, that's it! CMD.EXE is now blocked wherever this GPO applies. You will also notice that there is a separate selection within that setting regarding scripts and whether they should continue to be allowed to run. If you are utilizing batch-style logon or logoff scripts, you will want to make sure script processing remains enabled. Otherwise, this GPO will break your scripts.
Once enabled, attempting to launch Command Prompt from my user login now results in the following message:
Remember that this is a User Configuration policy, and as such you will be scoping your GPO to apply to user accounts, not computers. For example, I just mistakenly linked this GPO to my testing GPOs OU where my LAPTOP1 machine sits, and then sat here wondering why I could still access Command Prompt on that machine. Doh! What I actually needed to do was link this GPO to my accounting users OU, which is where my test user account resides. After making the change, I was immediately blocked from accessing cmd.exe.