I know others and I have been saying this up and downthread, but seriously check out configuration management tools like puppet.
(1) is always going to start in Linux with creating your own repo (you can keep it in sync with just rsync, and sync things from your test repo to your production one after they pass testing) and creating RPMs (or .debs, whatever) for any custom software you're using.
Once you've got that in place, you can do (2) and (3) with your configuration management system, which will download new policy when the system comes on-net and enforce it continually even when off-net, just like Group Policy. Because the configuration is all text, you can easily programmatically edit it, keep it in version control, back it up, etc, and configuration management systems are completely object oriented for easy inheritance.
Of course this probably won't stop the maliciously brilliant or totally idiotic, but I've yet to see Group Policy do that either.