You can allow all users to install applications and/or you can allow only some users to perform this action. This all depends upon the group the end user is placed in and the rule modules associated with the group.
If you just want the minimum protection against trojans and worms that can be done, too.
Your client might find they want more than the basic protection. You could show them by placing the end users in Test Mode and logging the results to the CSA Management Console. This testing and tuning process allows for customized configurations based upon the type of machine and or the needs of the end user.
Hope this helps.