They aren't too hard to implement. I use software restrictions policies on the computer part of the GPO to block exes from %temp% %tmp% etc. This can cause some problems with installations, but you can always remove the restriction, run the install, and then add the restriction back.

The exe whitelisting is a bit more tedious. It is easy for a user to bypass, but it seems to prevent several malware infections. I haven't seen any users bypassing it, but that obviously doesn't mean that they aren't. I use the 'Run only allowed Windows executables' on the user side of the GPO. You basically just build a list of allowed exe names.

Having users run without admin privs seems to be a key element in our stability. Sure, it means a bit more work for me, but it pays off in the long run.