I almost agree with you negative and I have the same approach to developing rules that can be enforced. For instance I fall under regulatory compliance with the FDIC. Their best practices say a password should not be made up of dictionary words. Well in my network there is NO way to enforce that through technology I currently deploy; therefore if I state in a policy something that cannot be enforced then the peeps will do it regardless and I have a policy that is a joke. In fact when regulators come and look to see people ignoring the policy, that is much worse in my opinion than simply not stating that passwords will never be made up of dictionary words. This is different in the case that I will be inspected for policy compliance, which is a huge counter-productive pain in the ass.

Having said that very confusing paragraph, I then go on with this issue and your games example: If the policy is clear that games will not be tolerated and that is communicated, then i don't have a problem holding the end user responsible. In fact I take the approach horse mentions and I state in policy a catch all, kind of my own CYA. The end user is responsible, sure there are many circumstances where the fault will fall on IT but there has to be a device where abusers can be dealt with. I even go so far as to say, end users are responsible to ensure THEY have backups of their important files. If they feel the heat a little, they are less likely perhaps to download that copy of Dig Dug. I believe if you have no way of blocking Texas Hold'em (my abusers love that card game) or you block one and they find another, and you say "You are not to play card games during work from this point on" and they still do it anyway because "they can" then they are responsible, just like the smoker who refuses to use the smoking area and smokes where ever they please because there isn't a fence and a lock around the area. (another of my issues)