Agreed. I did a little more asking around yesterday and infact what we have setup is a SUS server. But the average user will not have the ability to reject the patches from this server. Autoupdate is setup on the machines, only it looks to your central server. And the admin behind the server (say for your network it would be you) has the flexibility to select which patches you want to be installed.

You can also select what time to update these patches so you can do it on regular off peak hours and the users will never know the difference. For our network some of the patches won't agree with our software so we would naturally uncheck these, and they wont be able to update with the faulty patches. Initially it may be alot of work getting the server setup, but once its working only the SUS admin will be taxed with getting the patches, and only on one computer, not thousands!

I'm all about the work smarter not harder