Citrix Prevent Admins installing Printer Drivers

Im sure everyone knows the dangers of having uncontrolled printer drivers on terminal servers.
A common problem i have encountered is support staff with admin rights accidently installing drivers without realising. This can happen quite easily with users who RDP or ICA direct to the server with their locally attached printers mapped. Although there are Citrix policy and AD group policys to say "Dont install any drivers" these often seem to have little impact and we commonly see Printer drivers suddenly arrive.

To Prevent this at my current site NTFS permissions for admins and system accounts have been set to read only on the directory
C:\WINDOWS\system32\spool\drivers\w32x86
We have a single specialist admin account with full control which we can use when we need to install a new driver.

Citrix has just published an article on this subject and advises a similar step but on the registry rather than file permissions. They advise in article CTX120618 to set Admin and System accounts to read access on the following registry key to prevent accidental printer driver installation

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\Version-3