How do I ensure that users can run only applications that have been installed in /Applications?
With managed (parental control) accounts and "Allow apps downloaded from Mac App Store and identified developers" enabled, users are still able to download and run other applications.
I want to prevent this.
Solution 1:
You can easily do this by managing apps for that user in Parental Controls.
See this screen shot to limit apps. It is a per-app setting, so you need to maintain the list of allowed apps. The setting you posted in your question is for managing the code signing status of apps and not for restricting certain apps and certain user accounts.