The only way to stop this is to go down the rabbit hole of using restrictions on what directories applications can be launched from. I forget now exactly what it's called in Config Profiles, but under the older MCX, it was referred to as whitelist and blacklist folders. It might still have that reference. I believe its located under Restrictions. You can add /Users as a blacklisted location, which stops them from being able to launch from their home directory.
However, be prepared to play a long game of whack-a-mole if you go this route, Often, you end up needing to keep adding in all kinds of whitelisted locations, over and above just /Applications/ because so many apps these days need to write into and launch helpers and all kinds of other nonsense from various user level locations. Google Chrome is notorious for this, and it becomes almost impossible to whitelist it properly due to some randomization it uses. And hence it will start complaining about not being able to launch it's own helper tools each time a user runs the software or when it tries to check for updates.
There are threads about this that you should read. Here are two older ones - thread one, thread two
