Set windows permissions to allow modify, but not execute

Solution 1:

Read & Execute is a subset of Modify, so when Modify is allowed Read & Execute is, by definition, also allowed. See this table on Technet for details.

You can set the special permissions individually (and exclude Execute File) with the Advanced Security Settings window (click Advanced on the Security tab).

Solution 2:

You cannot set "modify" to a folder for a user without having "execute" permission on it for that user... and, as suggested by another answers here, it's not even possible do deny execution preserving modify so the solution may be this:

a Group Policy for Disallowing Execution by default then whitelisting may be the choiche:

Computer Configuration > Policies > Windows Settings > Security Settings > Software Restriction Policies

Set the security level to Disallowed, Allow the paths in which you want that users can execute in "Additional Rules" and you're 90% done.

You'll just add any application paths outside of Program Files that you might need (network locations, etc.).

I also disallow regedit.exe and runas.exe.

If you just want to blacklist you'll set your default level to Unrestricted, then disallow a specific folder... It's not going to be very effective, though.

Also, make sure to whitelist *.lnk or users will find that start menu shortcuts don't work.