Jose Garibay -
I created a policy to disallow users from running .exe files from the "download folder"
User Configuration> Policies > Windows Settings> Security Settings > Software Restriction Policies > Additional Rules        From here I created a new path rule to the "C:\Users\%username%\Downloads" and set the security to "Disallowed". I could not get it to work though. On the security levels I had tried the unrestricted but that didn't  work for browsers so I tried to finds something else.

This Policy made the standard user from being able to open the MMC and completely negate the possibility of funny business since you can't open it at all anymore.
User Configuration> Policies > Windows Components > Microsoft Management Console > Restrict the user from entering author mode

This Policy was just a plan B in case the user got into the MMC
User Configuration> Policies > Windows Components > Microsoft Management Console > Restrict users to the explicitly permitted snap-ins
Then I disabled some snap-ins that wouldn't be good for standard users to use.

Then I restricted access to some control panel items
user configuration > policies > administrative templates > control panel > programs >
the I enabled hide: get installed updates, programs and features, programs control panel, windows features, windows marketplace.

I wanted to  restrict the user from getting updates from the microsoft store but server 2012 r2 doesn't have the gpo so I did it locally on the windows 10 machine.