Regardless of what technical solution you come up with, someone will find a way around it. If you're serious about this (and not just doing it to discourage casual downloads or fulfill some faceless policy mandate), then please, please,
Talk to your users!
Explain why you're blocking what you're blocking. Help them to understand the importance of it. And then listen to them when they tell you why they still need to download executable files, and help them find a way to do their jobs without making your job harder.
For years, one of our suppliers had a system similar to yours in place. Unfortunately, they were also responsible for providing us with regular updates to their pricing software, and during testing it was common for executables to frequently travel back and forth between our networks. Due to the filters, we all just got in the habit of renaming files (.exe -> .ear, etc.), compressing them, compressing then renaming them, even using personal machines to transfer them... not only subverting the restrictions and amplifying the potential danger to both companies, but also destroying much of our respect for those behind the restrictions.
Finally, someone got the message and set up a secured FTP server for us to use.
It's all too common to focus on the technical side of things, and forget about the resourceful humans who must deal with the consequences of them. Naturally, if you're already doing this, then more power to you!
Best Answer
Unfortunately there isn't a global proxy configuration in Windows (outside of Internet Options) that all apps pay attention to. Many apps don't use Internet Options, and many of those that don't don't support proxy autoconfigs. For those that don't you're relinquished to manually configuring them.
What app(s) are you looking to configure? There are ways to centrally maintain some things to take the administrative burden off a bit.