The basic "rule" is that if you allow unsupervised physical access to a machine it can be owned.

The first step in this kind of situation is to perform a threat/risk analysis.

Thus far we have thought about live CDs and bootable floppies but there are others:

1. Live CD/DVD
2. Bootable floppy
3. External device attached to LPT1 etc.
4. USB drive
5. Other computing device via null modem cable
6. E-mail attachments
7. Internet downloads

You also need to consider that you need to protect the network as well as the authorised devices attached to it. Like what is the point if someone can just plug their private laptop into it.

You need to control the boot sequence and protect the BIOS. OK the BIOS can be attacked in a variety of ways, notably:

1. Remove CMOS battery
2. Operate jumper switch on MoBo
3. Short EEPROM chips with a paper clip
4. Flash the BIOS

As a starter, you would have to be sure that the cases are physically secure (locked).

Don't forget that you can use Windows policies and permissions to control what users are allowed to do. Frequently your security model needs to be both layered and integrated. Physical controls, OS authorities controls, third party software controls.

I usually start with the questions:

1. What do I want users to be able to do?
2. What don't I want them to be able to do?
3. What are the risks?
4. What is the potential damage?

At the end of the day your options range from a dumb terminal to full network administrator rights............... it is up to you to determine what is appropriate.

In all honesty I am not aware of any security product that is a substitute for a well thought out security model supported by appropriate processes and procedures.