I am not sure whether anyone have cover this possibility. But there is also a high chance that someone remotely control the said workstation and does what is seen unacceptable to you.

I realise this thread have turn out to be more flaming than informative. At least that is how i felt as a casual forumer.

Nekenieh, maybe you should consider hiring a info-security expert to look at the overall security issue. You need to implement a complete system rather than piece and pieces of hardware/ policies that have loop holes everywhere. In this case, the access card log and the surveilance camera might be your best bet but it is highly unreliable in this case.

Some of the combination of microsoft security flaws might be putted together to remotely execute something in the said workstation.

According to what you have mention about your environment. There are far too many possibility that could have taken place and none of the consideration factor has any form of "validation" on the user ID. That makes it next to impossible to pinpoint a particular individual for commiting such act.

Hope this very much sum up everything. These is just my two cents worth while trying to help out.