In a perfect world yes and any good IT department will lock down systems appropriately. But every sufficiently sized org, and many small ones will have shadow IT. There is also the issue of much of the ware pushed through these channels actively tries to circumvent controls. Its not uncommon to find hapless users with adware on their system that managed to get around UAC and group policy. You can always lock down more but security has to be balanced with productivity and user education will always be an important part.