Current setup:
Lots of .exe (and other files) are packaged inside an MSI installer (using WIX) which installs the exe files in ProgramFiles directory. Bootstrapper exe is normally used (it installs prerequistes) and launches the MSI installer package. Installer package is usually started from network share (access to which can be controlled on user/group basis).

Background:
It is requested that not all users should be able to get access to all applications that get installed via the MSI installer.

Problem:

1. How to secure the installer in a way such that even if someone who normally does not have access to the MSI installer file, gets hold of it, won’t be able to install it and thereby the applications (exe:s within it) or extract the applications (using orca or some other tool for instance)?

Possible solutions considered so far:

1. Create two installers – one which contains All applications and one which only contains the applications that should be used by those who should have access. This may impact maintainability when creating new releases, but also the problem remains that if someone gets hold of the entire MSI package, they can extract and/or install it to get the application exe files.

2. Encryption – By encrypting the .exe files before embedding them into the MSI package, only those that have means for decryption can run the applications even if someone gets hold of the MSI installer. And, in that case, maybe only one single MSI installer package is needed (containing all applications, some of which are encrypted). But, when the MSI installer puts those encypted exes in ProgramFiles folder for instance, how can an authorized user (having a decryption key in some form) decrypt them, since I suppose that the user would need elevated rights to write (the decrypted resulting app.exe) to the installation folder under ProgramFiles? Or, should the decrypted file be output into a [User]AppData[MainApplicationName] folder where-to the user can actually output/write it and then let the application be run from there (and maybe the “sensitive” application(s) can be removed after main application closes for instance)?

3. Or are the abovementioned solutions inferior and should/could be handled in some easier or more secure manner? Some completely other ideas may exist maybe?