Your best bet
by Jimmy Greystone - 3/6/12 9:16 AM
In Reply to: Windows Vista : Ultimate Restricted Account, HELP! by E404UserNotFound
Your best bet, and just for the record I agree with Bob, would be to set up an ActiveDirectory domain. This allows you to access a bunch of permissions and what not which are not otherwise easily accessible in Windows, and you can apply it to all the systems at the same time, managed from a central location.
It's certainly not fool proof, and anyone who can exploit some kind of local privilege escalation bug can still do a bit of damage if they want. We won't even get into the possibilities posed by LiveCDs and the like.
What you may want to consider as an alternative, is not even trying. There are programs like Deep Freeze which will essentially lock a system configuration in place. While someone is free to make any changes they want while running the system, as soon as you reboot the OS is reverted back to that specific state you set it at. In essence, it reimages the drive every time you reboot.
I might also consider putting up a desktop wallpaper just saying that logins are tracked, and periodically audited. So anyone caught doing anything they shouldn't be, will be subject to some kind of sanction. Then, assuming you have a lab or something set up, you just post a couple copies of the rules, and add to the text on the wallpaper image that copies of the rules are posted, and if they have any questions to direct them to one of you lot who manage the systems. And just for good measure, maybe every so often, under the posting of the rules, put up a log of everyone who has logged in, the time, etc, just to make it clear it's not an empty threat. You could probably even just fake one, and most people would never know the difference.