how to allow Administrator chosen certificates to work, but not allow users to trust new certificates ?

There is no direct way to force users NOT to trust a form, but Installing the form copies its name into the Registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\11.0\InfoPath\SolutionsCatalog. "Users" don't have write access to this key. Only read access. They'd be able to open fully-trusted forms, but not trust new ones.

Then comes the digitally signed form Digitally signed forms have to be from a Trusted Publisher, or they get blocked. But You can block trusting publishers as well.InfoPath uses the same trusted publishers list the rest of Office does. By default this is stored at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\VBA\Trusted".If you copy that key and its values to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Trusted", then the HKLM list will override the HKCU list.You can then set ACL permissions on the "Trusted" key so that "Users" can read, but not write, to that key.That would allow Administrator chosen certificates to work, but not allow users to trust new certificates.The documentation for this can be found on https://www.microsoft.com/technet/security/bestprac/mblcode.mspx. Scroll down about 3/4 down the document to the section heading "Office 2000 Signed Macros".