The application is fully portable, including all data and settings.
However, you need to install in a writable location if you want to allow your users to install extensions (as all the extensions and additional Python packages that they pull in must be all available to all users). It might be possible to remove this requirement (e.g., install additional modules and Python packages in the user’s folder), but it may not be easy to implement this and there has not been very strong demand for it (but you can submit a feature request and see how much support it gets).
If you want prevent your users from from installing extensions then install Slicer into a read-only folder (e.g., in C:\Program Files). You can disable the extension manager in application settings to prevent the extensions manager from showing up in the application. You can pre-install selected extensions by starting Slicer as administrator. Users that have admin access can also launch Slicer as administrator and then install extensions.
Since each user may want to use different set of extensions and settings, I would generally recommend to install Slicer per user. In some institutions a Slicer shortcut is added that launches a script that downloads and installs Slicer in the user’s folder if Slicer is not installed there already.
How your users are expected to use Slicer? Do they need to install extensions? Are your users generally allowed to install any software (applications, Python packages, etc.) and you just pre-install Slicer for convenience?