I think you're stuck on a lot of those points, alas. This are my answers to selected questions, bearing in mind that I'm not a proper admin, even though I do look after 20 machines or so at work.
> I want to enforce the installation of updates
You could add a cron entry for root to install updates at a specified time each day and grab the updates from the repository that you run. Your repository can be in addition to the normal distro repositories, so you don't need to replicate everything.
> **Group Policy Software Deployment**
I don't think there is anything exactly as you describe, but there are tools that allow running of commands at multiple machines in parallel - I've never looked into this myself, but I believe they might be "cluster ssh" or "parallel ssh" or something similar. This bit is pure speculation, but I'd imagine that one of those, coupled with adding/removing machines to netgroups would look vaguely like what you describe.
> **Roaming Home Folders**
I imagine you're going to get lots of replies here saying "just use nfs!", and I'd be inclined to go with that myself. The usual way this is handled in my experience is to have the home directories on a remote server and that auto mounted with nfs when you log on to a machine. This sounds like what you describe apart from the part with a profile being copied to the local machine. I'm not sure I understand the benefit of that, could you clarify?
> **Preventing access to Executables**
As others have mentioned, you can mount anything with the "noexec" flag and nothing can be executed on that partition/network mount (is that what you meant by removing the execute flag? I wasn't sure whether you meant the execute flag on the file itself). As you're the only person with the ability to install software, bingo, they can only run what you want. If you want more fine grained control, looking into something like selinux would do it, along with a significant amount of hassle.
> **Remote Support**
Agreed, VNC is a bit clunky. I use nomachine nx for remote access and it's the bees knees. This doesn't let you connect to an existing user session if that's what you mean by "remote access to any users desktop" though.
> Do you really need separate partitions for all these things?
On a user machine, not really. It can be useful at times though. Our machines at work typically have 20GB root partition for the OS, ?GB of swap and then the rest is set aside for installs of the *big* commercial apps that we use and temporary simulation data and the like. This partition is preserved during OS upgrades, so we don't have to reinstall which is nice. Essentially I'm saying 20GB (or more if you want, obviously it won't hurt too much to increase that) and an amount for swap is all you need, assuming your home directories are on the network.
I hope that answers some of your questions. I'll be interested to see what other people write as well!
Cheers,
Roger