[Windows Sandbox] MITIGATION_EXTENSION_POINT_DISABLE support for children.

This CL is part of a chain of CLs:
2) "MITIGATION_EXTENSION_POINT_DISABLE emergency off finch" (https://codereview.chromium.org/1836523004/)
3) "New NT registry API" (https://codereview.chromium.org/1841573002)
4) "Early browser security support" (https://codereview.chromium.org/1656453002)
5) "Turn on MITIGATION_EXTENSION_POINT_DISABLE" (https://codereview.chromium.org/1854323002)

Added support for this mitigation on child processes.
Not turning on in this CL - will add in a tiny follow-up CL that is
easy to revert if necessary.

6 out of 7 of the tests added to sbox_integration_tests
(ProcessMitigationsTest.CheckWin8ExtensionPoint*) are DISABLED and should be run manually
(will not auto run on bots).

The following extension points are blocked by this policy:
o   AppInit DLLs
o   Winsock Layered Service Providers (LSPs)
o   Global Windows Hooks (not thread-targeted hooks)
o   Legacy Input Method Editors (IMEs) - note Chrome supports IMEs via extension (https://developer.chrome.com/extensions/input_ime).

TEST=Manually run against Win8.1 x64, Win10 x64, Win10 x86.

Review-Url: https://codereview.chromium.org/1835003003
Cr-Commit-Position: refs/heads/master@{#400422}
8 files changed