Try delivering via logon script.
You could also look into more inelegant solutions such as forcing win
mess to use a fixed port (registry flick via logon script) then blocking
that port(s) at the firewall.
Have you updated the .adm templates?
Personally what I would be doing is installing the problem app on a test
machine and experimenting with a lockdown in which the app will run
properly. Alternatively, you could try running the app in terminal
services/Citrix which would then allow you to set the local PC rights.
Also look at content filtering, esp with extension/download blocking.
There are a number of content filters, from IPCop running Cop+ to
Dansguardian to hardware based solutions. If no users can download any
executeable code in the first place, it makes if slightly more difficult
to install ;-)