Hrmm... first off, the Windows 98 machines should go. They provide 0 security and don't require authentication. (although you could use Kerberos I suppose).

You might want to look into an application firewall as that can limit users from where and when they visit. Might also want to implement a policy that limits where people visit (sort of like CyberCop, which checks sites for "bad things" like "nekid body parts").

Lastly, I'd be complaining to the cleaning crew management and remind them that the computers aren't for their use (or their contract goes). Might also want to limit access for unsecure computers (based on IP) after hours (ie., the firewall won't allow access out).


Oh.. I just remembered I should have gotten a little more clarification: What kind of user policies/computer policies do you have in place? What kind of network is it? What kind of firewall is in place?