It is a royal pain at times, but we use 'Run only allowed Windows Executables'. You can bypass this easily enough, but so far no students have figured out how. We enforce this for teachers too. Cuts down on them opening those wonderful .zip eCards.

The hardest part is creating the whitelist at the beginning.