Therein lies the answer then slarty, setup one server box, setup DNS for it, and configure it as a vhost box. Then give file share access to each dev on this box locked to a directory with their domain accounts, and point IIS to those directories for the vhosting. Your devs can have local admin access so the software can do what it needs to to that one box, and they could access their results at the appropriate resolved URL. This is how we did all our development, for a few security reasons.
It can be done so as to present little difficulty to the developer, and should help ease your security concerns.
Slarty, although i agree that is easier to let developers have local admin access, it is possible that run without it. For example, i worked at a large bank here and NO developer has special access. Every test is done thru TEST servers, that were customized specially for make their job easier. However, i do agree that is harder than just let them test on their computers. But sometimes we need to sacrifice (in THEIR point of view) "productivity" to achieve security. It is not a easy balance to do.
On that bank, there is a few group of people that has local admin. However, they signed an agreement about installing things on their computers. Just summ up, they can be fire with they get caught installing "un authorized" software on their computers. And the bank has a special audit procedure to take care of that.
Just harderned local security and minimize possible local admin exposure we can:
1) assign local admin (when needed) to a domain user - not give local admin user password to the requester;
2) disable local admin account and monitor any attempt to re-enable it
3) Just one local admin per machine - it is easy to get to invader :)
4) config password on bios to avoid cd/floppy boot - it will dificult the usage of stand alone password crack tools
5) fire out any deviation of that policy
About ideas worked on that company, after some smart guys had been fired out ...
We require 15+ mixed character passwords for service accounts.
Domain Admin logons & above require a SecureID-type dongle.
Oh, and as expected, that dongle needs a PIN to work.
Could be better, but it's a start.