"Thus, a ROM change with that option removed would have been the fix. We don't know the machine had a floppy disk."
Yep, we had a couple of PCs that needed to be "secure". I wrote a password routine as a device driver loaded by config.sys, so a bit more difficult to by-pass than autoexec.bat and then we fitted a key switch into the case that controlled the 12v line to the floppy drive. It passed the BIOS POST but wouldn't spin a disc without the key inserted and turned to the on position. Obviously whole HDD encryption wasn't really an option then. We also patched the OS on the user machines to look in a different place for the FAT/Directory sectors. Discs being taken in or out of the office then had to pass through the one of the "secure" PCs dedicated to the task of being the gatekeeper which virus scanned them and relocated the FAT/Directory sectors to the correct place for internal or external use. This allowed disks to move freely but made sure they were as virus free, at least internally.