This thread puzzles me. First, you have someone using auto login and the word "secure" in the same sentence. Baaad.
Next, you have someone using the term "admin" auto login, which suggests that a local admin account may be used to auto login a user. Then you have the question asked about how to lockdown the host and make it more secure. Even if he is logging in AD user accounts, there are tons of issues with doing so.
I'm left puzzled. Why the hell would you use autologin in the first place? This means that *anyone* can boot that machine and have at your network. Let's not forget the very basic need of accountability. How will you know who did something if you're auto logging in clients?
This leads me to the simple answer to all of this. Fire the IT dept and hire someone capable of setting up and securing a domain properly. If you do this, end users will not be able to bypass anything. The answer seems overly simple to me.