For click-happy users, nothing short of Chinese-level filtering or stripping all their install rights is enough.
Correct. We just locked down a company (major firm) so tight, they can't go to any IP's that we do not designate. It's impossible to bypass this due to application controls, that is - we only allow specific applications to access those iP addresses. This company takes security VERY seriously, and this ultimately, would be extremely difficult to have them compromised. XYZ Application -> Allowed IP, that's it.. Plain and simple! While that severely limits them, it also incredibly secures them, and given the nature of their business, no wonder they want it. The firm does have a segregated guest WiFi, but even that is quite restricted, and has no chance of accessing the local network in any form (device segregation w/vlan).