Yeah, I agree. Redmond seems to have no feel at all for what is admin stuff and what is not. A user can't even defrag their own hard disk. :-/
My point is, either you can trust an employee or you can't. If you can't, then fire him. If you can, then give him the tools to do his job!
If the user is just an annoyance, who regularly screws up his computer because he's been playing around, then address that user, rather than handcuffing everyone for it.
That is exactly the attitude my company has. My company laptop was stolen from my office back in June. Since then I've been using my personal laptop for work. Rather than requiring me to have certain apps, etc on my machine, they have been very helpful in helping me get my machine to work with them.
As a result, I have the only linux workstation in the company, but I get just as much work done and I don't have to run all sorts of helper apps for virii, etc. The only thing I don't have is access to the VSS database. To get to that, I just start up Windows in a VM, and I can run VSS from there, checking out code into shared folders that my Linux box can access.