How to block ___domain users from installing any apps

Hello Team,

We have received a request from the client to ensure that no applications (including .msi or .exe files) can be installed on PCs unless the user has ___domain administrator credentials. This measure is intended to mitigate the risk of potential security breaches.

So far, I have attempted the following approaches:

AppLocker – Did not produce the desired results.

Software Restriction Policies (SRP) – Partially effective, but still allows some installations.

Despite these efforts, browsers like Chrome, Mozilla, Opera, and Brave can still be installed without ___domain admin credentials. In some cases, even when prompted for admin credentials, clicking “Cancel” still allows the installation to proceed.

Additionally, while testing different combinations, system applications such as Cortana, Mail, Calculator even Display settings. were unintentionally blocked.

Here are the SRP paths I attempted (which had limited success):

C:\Windows\Temp\*.exe  
C:\Windows\Temp\*\*.exe  
%USERPROFILE%\AppData\Local\*.exe  
%USERPROFILE%\AppData\Local\*\*.exe  
%USERPROFILE%\AppData\Roaming\*.exe  
%USERPROFILE%\AppData\Roaming\*\*.exe  
C:\Users\lantek.READINGHA\Downloads\*.exe

While these rules block several executables, applications like Microsoft Teams fail to install even when using ___domain credentials.

I’m seeking guidance to implement a reliable solution where ___domain users are completely restricted from installing any applications unless they have ___domain administrator rights.

Appreciate your assistance on this.

Best regards, Zeeshan