Fortunately, our policy isn't as harsh as this, otherwise I wouldn't have done it. We support several different OS's, Linux being one of them.
In most cases when an installed update causes problems, it is because the user has infected the machines with viruses/spyware, etc.
Possible, I guess, but I was pretty careful about this. The IT department never told me I was infected with anything.
I kept my old Win2k drive fully patched and up-to-date. This was required for windows computers by the government agency I work for. Recently they changed the requirements to include operating as a regular user, not admin, as our windows computers had been set up to do. Win2k doesn't do this very well (at least not my computer). Also, some sort of defrag utility was set up to run at every startup. These two 'updates' alone (there were others), while maybe the right thing to do for security, were enough to kill my productivity. It was simply easier for me to switch to another (supported) OS. And since I spend half my time on deployment, attached to other networks, I'll bet I'm better off using Linux anyway.
The problems you mention with IT control reminds me of a funny one my work tried. But leading up to that tale...
After years of quiet, faithful service, my employer’s Intranet was enhanced with an “urgent news” popup alert, similar to an IM greeting, for messages deemed especially urgent to the company’s business: Major ups/downs in shares, critical court judgments, retirement/hiring announcements for corporate bigwigs, things of that nature. You clicked OK to make the popup go away, but after a set number of minutes it would popup again - and keep doing that until you actually clicked the link on the popup or opened your browser as if to go read the full msg. That practice stopped once the company disallowed users changing the browser homepage.
Eventually the company installed a net nanny, which by the way blocks websites of pro- 2nd Amendment PACs and any URL that includes “gun” or “firearm.” In my experience, it intermittently checks the page you’re viewing for certain words, but nobody is revealing what the words are that may result in forever banning access to that *domain*. (FReepers who spell sh#t correctly make me nervous. I just don’t know...)
Then came the day that the Intranet update popup appeared onscreen. I was at someone else’s work station at the time and thought he’d set me up for a prank. Update popups came on several times throughout the day. Like the previous popups for company-sensitive announcements, it aggravated the user into opening the Intranet homepage. Once I was back at my desk, I realised *uh-oh*. Every single time a manager altered an Intranet entry, well, everyone knew about it. That annoyance lasted less than a week, thank ye gods! I’d already disabled mine and printed out the instructions for others - I can’t help wondering how that bright idea made it past the “hey ya’ll why don’t we try this?” stage.