Looking at your post, I can think of 2 ways to look at this problem.
- Control user's access in Windows and prevent them from running the PI client tools or SMT
- Configure user's access in PI and restrict access to PI objects (like PI point, PI Tables) and prevent the IT group from having access
Since you mentioned that you do not want users in IT group to have access to PI admin tools, it seems to me that you are more look at this from the 1st perspective. Which would really go down to configuring Windows security to prevent users from access.
One way would be to restrict software based in group policy. Here's a webpage that talks more about this: http://windowsitpro.com/article/articleid/97128/how-do-i-use-group-policy-to-block-a-specific-application.html.
If you are looking for an option to restrict user's access to PI, then it would be configuring PI-Trust (or Mapping in PI 3.4.380) to map the IT user group to a particular PI-user (or Identities in PI 3.4.380) and defining their access rights within PI. In this case, you can refer to the Library section for the documents about "Configuring PI Server Security" under "vCampus PI Products Kit -> Server Products -> PI server".