ComputerWorld highlights a security fix that most tech people know about, but few have the courage to actually implement. Quoting a security firm hyping their own product, ComputerWorld's story says Removing Admin Rights Stymies 92% of Microsoft's Bugs. We know that, yet we keep giving Windows users full administrative privileges.
The trick for company management is to accept that they, not users, own the computers. You have a perfect right to configure the PCs the way you want to maximize work and minimize security problems and wasted time. I remember being paid to delete Solitaire from Windows 3.1 systems back in the day, just to eliminate the distraction.
Your users will complain. Here's what you tell them: “It's not your *&#%*&$ computer!” Let me repeat that a bit more politely. The computer belongs to the company, not the user, and you and only you decide what software goes on the computer and when to install it.
Eliminating virus-filled screensavers from KittensGalore or some other site improves security. Eliminating the ability for users to run programs attached to e-mail messages (yes, they've been warned, but they still do it every day) stops many viruses and Trojan programs. Eliminating the ability for users to download some new widget and install it themselves drastically reduces the number of zombie PCs spewing spam and malware in your company.
The improved rights and security handling of Linux systems is one of the big reasons I recommend that operating system to customers. Add in the fact it's almost impossible to get viruses and most spyware when running Linux, and you get an added bonus.
Remember, the PC belongs to the company, and the company must configure the system to protect the company. Users should not be part of that equation. If a user makes a case some new program will really improve productivity (that might be true once in a blue moon), fine. You install the program, then log out of the Administrator username and let them log back in as a normal, restricted but secure, user.