James,
You keep forgetting one thing. You are a high level IT person. You keep thinking like one when you think of other users. Most users do not have near the technical know how that you do.
You are getting into the never say never or nothing's impossible area. Not too sound stupid, but I don't know how long it took me before I knew Run -- regedit. And, I certainly didn't go mucking around in HKLM too often. An employee at any level making registry changes on an office client computer would be flirting with disaster to quote Molly Hatchet. There are a few places that GPOs work, but I am just not that worried about someone finding how to block them.
Two issues with your pushing out updates. That is just not something that physicians do. This is at the level of Professional Data Management, Inc. The average physician is just not going to do that. And, you can use WSUS all you want but there are just going to be instances where you need to do something on a computer that is simply more easily done by the user. Just turn on UAC on ten computers that needs admin authentication and find out how many times you find yourself needing to do that. Yes it makes the computer safer, but at some point it is like anything else: Risk/Benefit. The other things most networks being used with AC don't have the capacity for using GPOs. This is where the false believe that having a client/server is really a domain network. It's not. It doesn't have Active Directory and GPO and OUs, etc.
Think about this. If all of us doctors could do all of these things, you wouldn't have a job.
Paragraph deleted.
Out of this whole discussion, but biggest piece of advice to you would be to go to your post as fast as you can and edit this line. I would try writing Most of the staff that I see at most practices....
