how to allow Administrator chosen certificates to work, but not allow users to trust new certificates ?

Then comes the digitally signed form digitally signed forms have to be from a Trusted Publisher, or they get blocked.  But you can block trusting publishers as well. InfoPath uses the same trusted publishers list the rest of Office does.  By default this is stored at "HKEY_CURRENT_USER\SOFTWARE\Microsoft\VBA\Trusted".

 

If you copy that key and its values to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Trusted", then the HKLM list will override the HKCU list. You can then set ACL permissions on the "Trusted" key so that "Users" can read, but not write, to that key. That would allow Administrator chosen certificates to work, but not allow users to trust new certificates. The documentation for this can be found on http://www.microsoft.com/technet/security/bestprac/mblcode.mspx.