Below I put how to block that a user cannot install certificates on a desktop.
In a new GPO on User config configure the following settings to block a user for can not install certificates with internet explorer or use the certificates snapin:
The next step is to block by GPP than a user cannot install cert doing double click on the cert. The path to configure this is Computer Configuration\Windows Settings\Security Settings\File System.
There we add the following exe´s:
And add a new user group denying permissions.
When user will do double click will appear the following message.