We're in a similar situation, with a shared server and many users. We've disabled internet access from the production server, and we use a separate development server to access the internet and install packages to a single library. We then rsync that to prod, where everyone accesses it. It's not a great setup and has led to pain when an update to a widely used package broke existing code. I'm working on getting packrat set up, but it's challenging in an offline environment.
In terms of security, we're also feeling our way through. We generally trust anything on CRAN without further review. For github, if we generally trust the authors (professors at a major institution, for example), then we'll go ahead, but in general we've been hesitant to install such code. In the future we might need to coordinate with our security team to do detailed code reviews.