There are various GP solutions available to lock down Windows and if you're a really large scale environment I think Active Directory is pretty respectable.
Except they don't work, or at least anymore. We have a generic one about blocking certain filetypes from being run in a zip (which is the standard vector for now) but all the other ones about blocking certain parts of the user's profile don't work. The malware just keeps trying different locations if its denied write access somewhere.
