Couple of points to ponder/consider regarding the runas command and group policy...

EvilSeed stated that the network has NT4 servers as the PDC and BDC...which would remove active directory from the overall environment. This would also limit the amount of security policy settings available to restrict rights to certain groups of individuals on what they can and cannot do in the domain(s).

The "runas" command only runs in the current context of the person who is using it. How that could be construed as a security hole, I would like to see the proof of exploit. Now, the question becomes how much you need to limit the rights of low-level techs in the domain. If you know the machine name (NetBIOS name), why not restrict them to logging in just to those machines as administrator (or another name with admin rights) until the device installation is completed? Set up a temporary admin account that can only log into the machine locally, then delete the account from the SAM once the installs have been completed?

In the absence of a fully-integrated ADS network, using a temporary local admin acount may be the easiest overall solution.