Thanks for the updated rule idea.  I tried it with the syntax you provided, but could not get it to work that way.  It would fail to compile.  I used an Include -processor_mode "kernel", and that seemed to compile, but would not fire on an admin account.  Even though when you use an admin account to launch iexplore.exe, it is still considered user mode and not kernel.  I switched it from "kernel" to "user" and it fired off on it as it was indeed in usermode. 

Perhaps there is another way.

I have one more idea, but is a bit more complex.
First, see that the user-name is stored in the HKLM registry somewhere. ( Not in HKCU because it will be evaluated from Mcafee process that runs in system context, so HKCU will point to system user.)
Then you can use the TCL magic like this:
Rule {
set var_username [iReg value "HKLM\\regkey\\to\\user\\name" "userName"]
if { ![string match "domain\bb*" $var_username] } {
Process {
Include OBJECT_NAME { -v ** }
}
}
Target {
Match PROCESS {
Include OBJECT_NAME {
-v iexplore.exe
-v chrome.exe
-v firefox.exe
-v MicrosoftEdge.exe }
Include -access "CREATE"
}
}
}

Be aware that the evaluation of "![string match "domain\bb*" $var_username]" only happens on policy enforcement.

This is the correct usage.  Here is some example Expert Rule (modified from the ENS Product Guide PD27227, page 32) that I had previously tested successfully.

 

Rule {
 Process {
 Include OBJECT_NAME { -v cmd.exe }
Exclude EXP_USER_NAME {
-v {domain\administrator}
}
 }
 Target {
 Match FILE {
 Include OBJECT_NAME {
 -v "c:\\temp\\*test.txt"
 }
 Include -access "CREATE"
 }
 }
}

 

 

For other usernames (with spaces for example), I tested using quotes vs brackets for usernames with spaces, and the brackets worked for me.

Didn't work:

 

         Include EXP_USER_NAME {             
                -v "NT AUTHORITY\SYSTEM"

 

 

Worked:

 

 Include EXP_USER_NAME {
           -v {NT AUTHORITY\SYSTEM}