I didn't let developers install anything on my IIS web servers unless the server was dedicated to their application team. Typically we created a network share at the site root folder and the developers just did a file copy or a Visual Studio publish to the share.
Some applications had Windows services that occasionally needed to be stopped/started. I was not about to grant developers admin access, so I built my own ASPX web site that authenticated users and showed them a page where they could stop and start just their services. It was based on the user's membership in a local security group.
I don't know what "composer install" does. What files (or registry keys) does it update outside of the root folder? Typically, the word install implies administrator access. Can't the developer configure "composer" on their desktop, and then publish the site content to the web server? Is it a repeatable command where you could build a front-end web site to run it on behalf of the user like I did with stop/start of a Windows service?