Caveat: You really don't want your users to be "Administrators" on their PCs. You want to find a method to automate the distribution of software (see Mass installation on networked Windows computers? amongst other Server Fault answers) in lieu of allowing users to install the software themselves. (There are a variety of reasons why you don't really want this-- exposing the company to liability for unlicensed software, being able to install malicious software, and just plain screwing-up their computers are a few good ones.)
Having said that, Restricted Groups functionality in Group Policy is what you're looking for. It'll automate the group nesting on an arbitrary number of computers.
Instead of creating a nightmare for yourself later (not to mention a political situation where you can't ever take back the users' "Administrator" rights) I'd recommend you think strongly about learning how to centrally deploy software first.
Edit:
My answer re: managing updates for Adobe Reader is the same answer I'd give to you re: managing updates for the JRE and other "necessary evil" software like it. I'd develop a coordinated process of installing the software with Group Policy and updating it by deploying new packages when patches are released.