You can enable AppLocker and have explicit control on what executes and what not by creating rules. I know quite a few companies that enforce its use in their employees' PCs.
As an aside, AppLocker was trivially bypassable for several years -- there were two different APIs that allowed you to set an "ignore AppLocker" flag. We used to use it in high-school to play games (or in my case, run gvim and some other development tools).
I think that there needs to be a more complete solution than just "secure the developers machines". You need to have peer-review, where the developers sign commits to approve them.