Morganlefay already hinted about this but filtering bad content (executables, viruses etc.) should be done before it actually reaches the client. So for web and email traffic I would suggest looking into proxy servers that can do content scanning. These can be used to filter out the filetypes you don't want.

And like d0ppy says, you can do a lot with group policies but probably not everything you want to do.