Re: You can only
This is all stuff that's straightforward to address.
End-users cannot install software, period, ever. End-users do not get admin access to their devices, period, ever.
Nothing on the internal network connects to the Internet except through a filtered proxy. Don't allow end-users to download executible, library, or script files unless they're devs. Make exceptions painful and whitelist only.
Nothing on the admin network connects to the Internet, except through a very strict, whitelist-only (site and content-type) proxy. No exceptions, period, ever.
Proxies are DMZd and isolated with the expectation that they will be breached. This can seldom be made perfect, but make it as tight as possible.
Company-owned remote clients run in VPN always-on mode. No split tunnels - VPN clients are filtered just like internal clients. They can watch Netflix on their own !#$% device.
Etc.
I've implemented every one of these rules (and more - I've been doing zero-trust since way before it was cool) and made them stick. In 25 years of IT management, my networks have NEVER been hacked. We had one outbreak of ransomware that was automatically isolated to two hosts, with no data exfiltrated, and only 40 end-user-hours (total) of productivity and six IT support hours of productivity lost at one site. The end-user hours of productivity were lost due to two network shares that were encrypted; we just restored the hourly backups and went about our business. That's it.
Security is possible, but it takes extreme thoroughness and discipline. Beyond that, I was able to do it because I had support from the C-Suite and the Board of Directors - learning to communicate with and "sell" policies to these people is just as critical as the technology part.