Can you make them a standard (non admin) user account and then either keep the admin account to yourself (with remote desktop, probably) or at least call it something really clear like "this is dangerous" with a hard to type password, so they really have to think twice before using it?
It makes it harder for them to accidentally install rootkits and certain kinds of spyware and ransomware. It also makes it harder to install some software globally, but that's the point.
If you want to go a step further you can try to set it up in some kind of kiosk mode, but that's probably too restrictive for day to day use.
Of course you should explain why it's set up this way. Something like "In day to day use, your standard user account lets you run the programs you already have, create new documents, send emails, etc. All the day to day stuff is taken care of and should work the same as always have. And it protects from you bad software and people trying to hack your machine. In the rare cases you need to install some new program, you should double check to make sure it's safe and legit first, like Googling for its official source and calling me if you're not sure. Then if you're it's safe, you use this other special account I left on this post it under your desk. Use it sparingly and only when you absolutely need to!"
