Colin B. wrote:

> remove admin privileges from users for their workstations so they can't

> install software,

That won't stop them from using installer-free software, software with
working installers, patching installers or porting installed applications.

The real solution, aside from the obvious necessity you stated, is to
globally remove exec rights.

> block traffic by port number or destination,

Won't help against proxzing and/or tunneling. Again, globally removing exec
rights does the job.