This is not exactly new science here...
1) users are NOT local admins of their machines
2) Group Policy locks down nearly every aspect of their machine
3) centralized security and monitoring, AV can not be disabled, all patches/DATS auto pushed from central serevrs.
4) strict internet controls (monitored access, and only for those who need access). Internet access further protected by a white list.
5) imaged machines based on roles. Machines are never fixed for a user. If there's an issue, drop another pre-configured machine on their desk and then fix the other one (by starting with re-imaging to eliminate software issues).
6) users can not save files locally, period. MyDocuments folder is relocated to a network share through policy or logon scripts.
7) Strict corporate policies on software used in the company, electronically audited through something like SpiceWoerks or CA e-audit.
8) USB ports can not be booted from, BIOS locked out with a password. No CDRWs. Additional drives connected will only show up to admins (remove all drives other than C: and D:). Selected users who are approved to move files from the company systems to home systems only do so electronically through a web portal or through citrix etc. No thumb drives or portable media.
9) All portable computers use encryption of the whole drive. Hibernate automatically on lid close, and can only be logged onto when a domain connection is available or as local user.
10) e-mail secured by not less tha 2 different filtering technologies (from different vendors). Ability to send/receive e-mail from external sources approved on a per user/department/job role basis only. (most users should not require full e-mail access, only internal e-mail).
11) No Wifi except in conference rooms, public areas, etc. Even that is either a DMZ zone for guests, or requires MAC address pre-approval and 802.11x authentication.
It sounds harsh, but we don;t go to that extreme. MOST users (except call center folks who are monitored by the minute and simply don;t have TIME to surf when on the clock) do have limited internet access, at least to some approved news sites, local banks, and a few other places, so in a spare minute you can get some personal time without having to lug in your own personal computer and a tether-enabled cell phone... We're not cruel, but having a locked in system where users simply can't make changes to computers solves a lot of issues. If they can't store data locally, and their machines are roll based inaged, then if theyre's an issue, and they call helpdesk, the response it "someone will be by in less than 30 minutes with a replacement machine, let us know if you have trouble after that" Or "Yes, we know, that service is currently unavailable, did you not check the self help site and read the service advisory?" Help desk no longer requires technicians, only ordinary call center folks, and desktop support becomes a bunch of untrained computer movers. If there's ever a software issue, all effected machines can be identified by groups and re-imaged across the network (this is rare as the images are thourally tested, and software is a few revisions back from the bleeding edge and generally bug free, and patches can 99% of the time be uninstalled successfully if they break something).
We have 14,000 workstations. We have about 25 people in the workstation helpdesk supporting them all in a central call center, and about 3-4 people at each campus maintaining the hardware. We used to have over 100 people in the helpdesk. ...now if we could only get our SERVERS onto the same process (it;s in the works, but quite a bit more complicated as we support over 1000 applications across 3500 servers on 12 differnet Os platforms...)