MCX Blacklist?

I'm trying to learn the ins and outs of user management via local MCX records. I've googled till my fingers are numb and am not finding any clear answer to this question: Can you simply tell OSX not to allow one application to run? In WGM it's clear enough that you can provide lists of apps that are approved, but there is no similar "disallow" list. I see disallow in the folder restrictions, but that forces you to define an "allow" folder list as well. I don't want to attempt to manage allow lists, I don't feel comfortable that I'd think of every possible app. Using mcxquery it is clear that there is a "whiteList" key, is there a simple "blackList" that I'm just not finding documented anywhere? Perhaps I'm just naive of the implications programmatically why this isn't completely clear and easy to do, but it just doesn't seem like a tough request. My goal is to simply disallow the use of Skype for the Student account, while allowing it on the Teacher account in a schoolwide laptop deployment. When I first read about MCX management it sounded perfect, but nothing I have found is reassuring me that it actually will do what I want, and so far I have failed to get it to do so with my own trial and error with WGM and dscl. I'm running a mixed 10.5.8 and 10.6.3 environment, to be clear. Sorry if this is a newb question, but I've wasted so much time searching for this answer on my own.