Having the program be installed by root but not require admin rights to update, I presume. That sort of system is quite possible with services or scheduled tasks on Windows. In fact MSI can do that already as long as everything is signed.
The MSI offers a number of GPO switches so a domain admin can do things like disable auto-updates, disable extensions from being installed, black- or whitelist individual extensions, etc. You're commenting like you've never actually done this, which is probably why you're being downvoted.
By comparison, Chrome for Enterprise currently offers only about a dozen GPO switches and IE6 offers 1300, but the dozen they chose cover about 90% of possible use cases and the team is working on adding more all the time, as they are justified.
What exactly would make you happy?