The way I overcome this is with planning and infrastructure. Being the IT manager, I consult with office managers as to their requirements needed from their computer systems. The basics are; email, web browsing, excel, word, basically anything needed for their office workings. The managers know that programs can't be used if they have not been installed by me basically. My virus protection is easy. These programs are monitored by my firewall and if binary files or any data files attached to programs change it reports the action to my main server, so nothing on the local computer, being pop ups. If my server deems it a threat which if binaries change in programs it means I need to lock that computer down until I can contact the user. Then comes the interpreters utilized in everyday use in computers like Java, Perl, PHP and so on. These are the difficult ones to handle being the code is provided by an outside server which I don't control. So I filter all cgi and client side scripts before they are loaded by the workstation. Which is why most java games are not permitted/can't be used at work. This means the managers love me but the workers hate me. No pop-up's, hack proof to this day, and very easy to manage. Im against virus protection because it only protects against know threats. If I was to target a user I wouldn't use an old bit of code. The best way to manage any IT environment is with planning and infrastructure.
TM