... and have copies of the public keyrings under their profile.
The best way to do this with moderate assurance is to use PGP Universal server to manage keys for these users in Guarded Key Mode - and while this can achieve this for you there is no way to do this in standalone without setting the profiles up first.
If you need to use PGP Desktop in a multi user env without Universal Server you should consider the following(this is not exhaustive and can be added to quite a bit):
1. Let each user have their own Private Key protected by a strong passphrase - back this up - if these users share a private key* ensure each user has a copy protected by a different passphrase - protect the logs copying them out to another location using syslog agents to send to an external server!
2. Copy the correct public keyrings for each user;
3. Have each user set up with their own profile - even if the admin accesses their profile as long as their are no keyloggers and the machine isn't compromised and the users don't share the passphrase for each key should remain secure;
4. securley store and backup the private key(ideally keys);
5. Sign th eusers keys with the admin key and use this for trusting their keys externally;
6. You can use msconfig to disable PGP Desktop for all but these users - window dressing sure - but if these users have a feeling that only they should access the app it will seem to be be more secure in thier minds- a lot of the security offered from a control comes from th emindset of those using it;
7. Have a cleary defined set of processes for doing things - i.e. always clear the cache on th eprivate key passphrase if away from the system.
So , long story short - you must set up users in advance - you can share/copy public keyrings and this is fine, you can share private keys - but you really shouldn't.
So, hopefully some food for thought PCI likes you to have reasonably assured technical controls in place - but process can bridge the gap - after all we all have to trust something.
*This is usually a bad idea - but it happens - dealing with this in the most secure way with the least operational impact is the art - best bet is to put it on a smartcard and lock it in a safe controlled by someone else who doesn't have the PIN toi the smartcard.