This is a follow-up from SPEC-3412. 

What I'm not really sure if this should be the default policy (as there can't be more than one policy engine at a time installed in the comppsitor), or if it should be present in the source code for people to use if needed. A deny-all policy is basically the allow-all policy but negated, there is nothing more to it. As I don't have a mechanism to switch dynamically between policy engines or have some kind of scripting behaviour, the compositor needs to be re-compiled and pointed at the desired policy engine. 

Or maybe have the deny-all policy installed and have the demo apps listed as allowed?