If the administrator was smart and didnt want the users to have high access they would just take the cdrom out of the boot path and put a password on the bios... also the a: out aswell stopping using programs like the linux boot disk that changes passwords (cant remember name) - also bluecon will give the user the ability to change passwords aswell if the cd is able to be booted

so really i would just take the cdrom and floppy out of the boot path and password the bios.. only the administrator needs to access it

[edit] this was already mentioned above but it is still useful info and there is some extra .. my bad [/edit]