Some people might dislike me for admitting that I really like restricted systems or networks.
Fact is, most failures I am fixing are caused by users by installing software, not doing updates or other nasty things wrecking the pc they’re working on.
Preventing those user caused problems isn’t always easy – but cutting down user permissions helps a lot.
Forbidding dangerous things might look promising, but you never know what the user will do next, as users are damn creative sometimes. A better way is disallowing everything except the things a user really needs to. Of course, this will cause many users to shout at you, but now their actions are a bit more predictable.
But that only works if the management supports the idea…