Being the evil corporate IT overlords we need to block the new OS X App Store. As you may be aware the 10.6.6 update installs the App Store App which allows users to download and install apps without admin privileges.
Some Suggestions:
Don't update to 10.6.6+
Use parental controls
Presumably some OD policy (if you have an OD server which we don't)
Block the App store by DNS or Proxy
Not updating to 10.6.6+ isn't really a long term solution as it contains security fixes and new Macs will come with it anyway. Blocking the App store at a network level doesn't solve laptop users.
Ideally a simple system preference or editing of a plist that can be pushed out by ARD would be the best solution.
Please note the question isn't should we block the App store, it's how we can block the App store.
As a quick update it seems that is you are not using an account with admin privileges, you may need supply admin credentials for the first time you download an app to install it, which may solve some of the problem. Very different behavior to the normal OS X elevation of privileges which ask admins and non admins alike.
If you don't have these computer attached to an OpenDirectory server (the preferred way to do this is to restrict the launching of the app through Workgroup Manager) you can set the permissions on the App Store application to not allow users to run it:
This keep anyone from launching the application. It can be pushed out through ARD, can be added to your base image, and can be set in a startup script.
I have no idea what this will do to other applications running on the system so you should test it first.
The iTunes Store connects on standard HTTP(S) ports, 80 and 443, so I assume that the Mac App Store does the same.
Here is the Apple knowledge base article on blocking the iTunes store by URL: http://support.apple.com/kb/HT3303
It says
From a quick tcpdump, it appears that the App Store uses the same URL... for now.
Run a packet sniffer. Run App Store. Find out what the address(es) are that the Apple App Store uses. Block all incoming/outgoing on that address, on that port, on your perimeter firewall.
You can also edit your Active Directory schema so that it contains extra information that emulates MCX (similar to Group Policies). You can then log into your AD server from Workgroup Manager on a mac, import AD users/groups as augmented records, and block the application. It's a lot of work to block one thing, however in the long run it means you have a ton more control over your macs.
Here's a link to an Apple webinar that walks you through the steps and explains (better and in greater detail) what I was talking about above:
http://seminars.apple.com/seminarsonline/modifying/apple/index.html?s=301
and here's a PDF (not sure if it's recent)
http://www.sticts.ch/MacWindows/Modifying_the_Active_Directory_Schema.pdf