training lab security - Active Directory

[Kevin Shalla <kshalla () UIC EDU>]

I'm new to Active Directory, and am looking for ways to improve the
security on our PCs.  My hardware management staff is resisting my
strategy of putting all our training room computers into Active
Directory and having them all log in with their own AD
accounts.  Their preference is to have users log in to a local guest
account on the computers. I'm thinking that if someone loads spyware
or other nasty stuff, then other users won't be affected by that
because the accounts do not have administrator access.  My staff's
contention is that once malware is on a PC, it is NOT limited to one
account, but infects the whole machine.  Further, they believe that
having individuals logging in with their own accounts would create
too many profiles, filling up the machines.  What are the best
practices for managing Windows machines in lab facilities?