|Welcome to the Monastery|
A couple of thoughts come out of your words here.
First, I completely agree with your point about the importance of the maintainance of tools.
I was instrumental in setting up an architecture that automated this task of program installation and maintainance of 700 'approved' apps (reduced from the surveyed 7000+ prior to integration) across 600 LANS in 350 locations spread across an entire country. If the right SysAdmin tools are used, the requirement to limit the users choices (without moving from the sublime to the rediculous) in order to cut down on SysAdmin costs and workload is lessened.
I did roaming profiles a disservice when I mentioned (desktop's, fonts, color schemes etc.) in my earlier post. Under Win32. the "user's desktop" is more than just these trivia--although if your short-sighted not having access to your large font isn't trivial; nor lack of a high-contrast color scheme to the 10% of users that are red/green color-blind; nor visual 'audible warnings' for the deaf; swapped mouse-buttons for the left-handed etc.-- it is also everything s/he is able to see and do.
In essence, the users 'desktop' is the users computer; His or her 'virtual machine' to use a quiant old-fashioned phrase. The "shortcuts" available on my 'desktop' are the only applications I am able to run.
Whether the application a shortcut points to is locally or remotely installed doesn't matter, the fact that it (the shortcut) is installed on my desktop means I can use it. If it isn't, generally, I can't. Yes, it is possible to invoke programs manually via the filemunger/explorer, or even through the still-born CLP--assuming it hasn't been disabled--but in the Win32 sense, the desktop is more virtual than physical. More akin to a visual representation of the *nix .profile (and other .files).
So when I say 'desktop', I mean somewhat more than just the pretty bits.
Secondly, I also agree that there is a real need to restrict what gets installed and where, especially with the advent of easily accessible cracking tools and wide-spread exposure of the corporate network to downloads from the internet. However, forcing the user to use vi or notepad (or even worse, I've seen people using Word as a program editor!) when they have become accustomed to and dependant upon the features of X, because it make the SysAdmin function easier seems all wrong to me.
Can you imagine the caddy telling Jack Nicklaus (or Tiger Woods dependant upon your generation) that he can only use a sand-wedge for his golf cos it makes cleaning his kit so much easier. Or drawing analogy to the described use of Word, a 1-wood!
Or replacing the vehicle mechanics sets of straight-necked, cranked-necked, open-ended, flat-ring, shallow-offset-ring, deep-offset-ring, 6-point and twelve-point spanners(wrenches to most of you guys), short-reach and long-reach socket sets etc, with one two of these and one of these?
I guess what I am saying is that the SysAdmin role, often under resourced and under funded as it is, is the support role. Whilst, as one monk's wry tag line would have it, downtime is that time when systems have a 0% user errors, without the users the SysAdmin role has no purpose. That makes the users the customers and although I have never subscribed to the customer always being right, restricting the users productivity in the name of simplifying or reducing costs in the SysAdmin role is not good management nor good fiscal policy IM(NS)HO.