People can still by-passing constraints by accessing root/pypi directly.

[GaryZ88]

Is there any better way to restrict internal staff to install a pre-defined set of pip packages?

[fschulze]

Do you block pypi.org? If you do, you could also block root/pypi/+simple.