The only really usable way is to use a deployment tool, to install applications with, and then only let that install applications using csa rules. You could also create a list of filenames that the use can't execute, so they can install, but not execute messenger or whatever. If i can suggest something else, how about doing a lockdown of unknown applications communicating outside your network, you could say that no file saving is possible or copy/paste from that application, registry access and so on...just a suggestion.