How can I prevent pushing images to

I’m running a 2 node swarm environment with an own private registry. The environment is designed to permit users running containers based on pulled images from
But I want to prevent users from pushing deployed images back to because of copyright/security reasons.
All self-deployed images should be pushed into the private registry only.
To get a effective control on that topic I’m in search of an idea/solution which covers that issue. Any Ideas?

Well I sort of have the same issue but a little different env but you might be able to operate the same way. All the systems/dev machines have access only to the private registry with no internet access. I pull as needed from the docker hub what I need when I need it from a VM that is NAT’ed. Once I have it local switch back to Bridged and push to the private registry so any system can pull it down.