Protecting workstations: How not to overblock

To reduce the attack surface you can block many vulnerable features of software. The question is, how can you do that but not interfere with business-processes?