This was an interesting question and I feel like I can give an interesting answer. I'm self-employed, in that I'm the owner of the company. So for me there is no separation. My "work" laptop is also my beefiest and hence my primary laptop. I can dictate how our lab environment is built out.
To address what you talk about with my employees, generally speaking I'm pretty lenient with what they want to use and do (no porn no pirated software, that's pretty much it). I give pretty much free reign in the lab. I do this by having a development VM server and allowing a dev to spin up pretty much any VM he wants. I got an MSDN subscription to cover all the various MS OS flavors, but I see lots of ubuntu and OpenSolaris VMs too.
The bigger issue for me is not computing resources, its time. You have to show me that your research efforts are worth our time. If we're building a J2EE project on top of Ubuntu with mysql, I will question why you are doing a python tutorial on the company time, for example.
For me personally, since we're a small company and cashflow is tight I personally follow a "10% IPA rule". No more than 10% of my time can be spent on non-Income-Producing-Activity. I try to make sure 90% of my time is directly billable to revenue and not spend more than 10% of my time beyond that. Maybe larger companies with bigger profit margins can handle more, but we just can't right now.
I certainly encourage people to learn new things and I can see the value of doing this out of left field. (For example, last year I decided to finally really learn functional programming, and it gave me a huge positive impact on my vanilla Java/Perl/JS/etc coding). And since most engineering talent is the geeky sort who love to learn for learning's sake then its a positive morale influence to let people dabble. But when I can see the cash flow report every month then I can see where the PHB/clueless MBAs get nervous when you spend too much time doing research and learning.
Now, when you mention security being an issue.....well, can't help you there. Most large companies have fairly brain-dead security policies so there's not much you can do about it.