There's nothing specific to prevent users from launching commands, but it should be simple enough to do. Just block file access or application launch to the below 'net' executables:
C:\Windows\System32\net.exe
C:\Windows\System32\net1.exe
A simple way would be to take the inbuilt "Block applications from running [AC1]" rule and add the above path(s) into the "[AC1-1.1] Block these applications" sections list of application exe's.
Just be aware that SEP's going to try to block any and all access/execution to/of those files, not just for users but system processes too. So test thoroughly, make sure this is what you want, and add exceptions where necessary.