Root login can be disabled pretty much completely on the local box, ssh, through `su' or X. You could require multiple authentification tokens to be connected to the laptop before root login is allowed. PaX does some and the stock kernel has options for the 'token' that I'm speaking of.

You could disable root to the point where the nobody user has a greater chance to actually login than root ever does :P

And kudos to rcgreen for the link.