I want to prevent a non-admin user from executing any program except a few default ones. This includes program files which the user himself may create and own, or download or copy from removable media. How do I do this in Ubuntu?
You can't. Not effectively at least.
You can mount all user-writable disks as
noexec, which will disallow running any binaries places on those disks. This would typically be
/tmp. Other places should normally not be writable for the user.
This will preclude any pre-compiled binaries from running. But it will not stop someone running a python script or similar. And you can do almost everything you can in C++ in Python...
Trying to stop users from using things like
bash will likely render the system more or less entirely broken for them.
You could look into apparmour as well to restrict user permissions. Ultimately, you should set up a threat and risk model, and get a more detailed description of the problem than simply allowing a simple white list. Otherwise you risk ending up with breaking the system by accident, or leaving in stuff that effectively negates the benefits of all your work...