If a desktop goes bad it can be reimaged in about an hour.
Acquiring an unlocked machine requires and act of God.
Have each user log into a thin client that looks and feels like a real machine. If something goes wrong, simply restore the machine image on the server.
This has been done using a *nix-based OS on the clients, running a VM from the server. If the virtual client goes bad, merely copy that machine's image from a backup file.
Usually, the users don't even know they're on a thin client.
"Acquiring an unlocked machine requires and act of God.
Or maybe a quick perusal of a couple of articles from 2600.
It is really very difficult to stop a privilege escalation attack if the user has an account on a box, particularly a Windows box.