Active Directory is for authentication. You can block executables with app locker via GPO, but there ins't anything to distinguish between an installer and an actual user program.
You can also control access to the Windows Installer service via GPO, but not all installers use it. The best method would be to restrict local admin rights to those allowed to installed programs.