There's really no way to prevent a user from setting up BIS and getting personal mail delivered to the device.
Using IT policies, the best you can do is force all outbound mail sent from the device to be sent through the BES account, which should give you some level of control.