The student OWN their laptop. Period.
You should not (legally) have (the right) to lock down their laptop.
I think the main problem is how you view the design of the network they will connect these laptops to.
I think you must consider these laptops connecting to the physical school network as equivalent, security-wise, as if they came from the outside (the internet). You are simply providing wired local access. The school systems and services should exist on a seperate secured network.
And just like in an airport or an internet cafe, you probably can filter some of the traffic to-from the 'public' physical school network.
Is monitoring the traffic to-from a privately owned laptop legal in the U.S.?