I work for a fairly large company - we have 2 Class As. All the computers on our administrative LAN run a standard image. Users are just that - users, no admin rights. Field IT has limited admin rights. Why? It is pretty simple. The company can not afford a roll your own environment. The workstations have to do many specific tasks that keep the company in business. Part of my regular workday involves rdping into workstation and whacking unauthorized software. I know where it is because the system performs a hardware and software audit on a regular basis. The rules are all up front. You are told what is expected when you start the job. We do allow proxied internet access in general unless abuse is detected. We are in the process of pulling back about 1/3 of our laptops. There are no longer a perk, the user has to show a need that exceeds the security risk.