I agree with @cderv . As he suggested, there is very little you can do to prevent a user from installing something from github. Remember, this is programming, and the packages are open source, so at the very extreme a user could just copy all of the function text and never download anything.
The best approach is to figure out what you want. Security? Validation? And then figure out how you work with your data scientists to make that happen.
The most successful installations we see are typically a repository managed by system admins, with a path to validation or something like it for users to request packages that they want to have added to the repository.
It ends up being the least cumbersome to admins, the most enabling to users, and allows for a free flow of communication about what features/packages are missing as well as what pain points there are in the process. The "shadow installations" become much less appealing if there is some feasible path to validated installation. On the flip side, as a data scientist, a "shadow installation" is a no brainer if it will save me 3 days of work or 10% accuracy in my model to use a package that someone else has already written (but may not be on CRAN, for a variety of reasons).
Our hope is that RStudio Package Manager will increasingly fill this void and facilitate that conversation between data scientists, IT, and security.
One final note, since I did not make it explicit - admin management of installed libraries on the server is usually complicated, time consuming, and insufficient. Remember, there are 12,000+ packages on CRAN, 4+ minor versions of R in active usage, and multiple package versions for each package. The number of combinations that could be installed is enormous, and the likelihood that a developer may want some combination that you did not install is nonzero. I promise - you are much better off spending your time on a repository than on installing packages into a library on the server.
The R user is used to installing packages, anyway, so it's no problem for them to have to install some stuff. Feel free to pre-load some popular packages, but don't try to install all packages anyone will need, because you will likely miss one (and waste a bunch of time/storage in the process).