Note that in Windows, certain classes of applications do not need administrative privileges to install. This is true in many OSs.

The only method of lockdown that might succeed is a restrictive mandatory profile that locks down the desktop and start menu along with a white list of allowable applications.

In conjunction with senior management, create an acceptable use policy with teeth and enforce it. Setup logging for the system and audit who does what.

Also, you can require those with local administrative access to be responsible for reloading their own systems anytime an unauthorized application is found on their system. This requires a good automated lite touch or zero touch build process (and the always required senior management backing). It does wonders to get people to stop loading software on their own. Especial after they have to explain to their manager why that report is late because of the fifth system reload for the month because they broke software installation policy.

There are also utilities that available to assist with removing the need for local administrative privileges.

Finally there are things like MS Steady State or other 3rd party products that return a system to a known state. It can be an interesting experience to watch someone install and application, reboot the system to complete and the system comes back up to the state prior to the install…