A caveat with this is you should also have a firmware lock in place. Otherwise, users can start Internet Recovery and install an OS. For a little more on doing this, see the article on Administering Open Firmware/EFI Passwords.
Also, I've found that Restricted Software can be fairly ineffective. In some cases it is as easy as renaming the app then running it. One way I've seen work is restricting InstallAssistant in addition to the OS installers. I would also look at using the Restrictions payload in Configuration Profiles to defer software updates (10.13.4 minimum), disallow Software Update Notifications, and Restrict App Store to software updates only.
Really, though, it seems that the most effective way to stop this would be to take away administrative privileges, but I understand that's not an easy topic to broach.
