That is incorrect. XP holds the last 10 login/passwords by default. The idea is that users can still log in even if the domain controller or ADS tree cannot be found.i did briefly read that one could access such data/passwords that were just recently stored on those machines, not using admin account. files created for the specific user was meant to hasten access time to that user, because it takes much longer to talk to network server everytime and would slow down the network if server kept getting spammed by old users.
The question of recovering a password would depend on how the machine was accessed. If you want to stop it you have to make sure that the machine is locked down and locked up (physically). If people can boot from live CDs you won't be able to stop it.