Needing to lock down users to "user" or "power user" but still need to grantt specifric rights

IN my location I support roughly 350 users, due to recent ISO requirements I am being forced to downgrade all users to "user" rights locally and some to "power user".  My users are Developers, programmers, System/Server Engineers, Network Engineers, Systems Support, Implementation Consultants and Service Desk users along with some Admin types and "normal" users.  Given the job function, testing requirements, troubleshooting they do and the need for installing / uninstalling software constantly Im not sure exactly how to accomplish the corporate / ISO requirements without cutting my users off at the knees?

Can users install updates (Windows, Adobe, etc) or plugins to IE / Firefox like Java (our products use multiple versions of Java)?  I believe Power Users will be able to install these updates and Java versions since I do not believe they modify any system files.  What are the exact limitations between User, Power User rights?

Other users will need to install our company products for use or testing, will need to be able to use Desktop Streaming for client support.  Others yet need development tools or the ability to configure their systems to mimic client systems for troubleshooting.  I have been considering options like making sub OU's with certain rights, local Security policies or even VMWare or similar virtual desktop solutions.  The VM solutions seems like an easy choice on paper but I think this opens everything back from a security perspective (an Admin VM session would have the same rights / network access as having local Admin rights).

What kind of solution should I implement to satisfy all of my requirements and needs?