Since I've actually run UNIX for personal use outside of work, that apparently makes me the newly anointed Macintosh expert at my workplace... I've got an open-access computer lab (12 iMacs )that will be used for limited video, photo, and audio editing. There is no central fileserver, and they are not joined to any directory service-- it's all got to be local user login.
How do I student-proof these workstations and minimize my headaches going forward? The students are going to be required to use their own external HDs for file storage, per the professors in question.
A relatively simple, but non-free, solution would be to use something like Deep Freeze (link). Basically it will let the user do almost anything they want, but next time the system is rebooted, everything will be restored to the previous state.
The home-use price is $45.00, there are savings for educational use and lots of licenses.
Have you looked at Parental Controls? It's been a version or two ago of OS X since I've used and I have heard it is much better now.
If each student has a hard drive, they can use external accounts. [I believe that if you create a user in System Preferences -> Accounts and then Ctrl-click on their name, and choose "Advanced Options..." you can specify that their home folder should live on their hard drive. Then, they merely need to plug in their hard drive at the login screen and it will show external accounts that can be logged into. See this tip if you have to move an account.
Be sure to make an image of your computer setup. [NetRestore used to be the tool to use, but it is no longer readily available. Deploy Studio and InstaDMG are tools to look into, and Apple's Server Admin Tools include an image creation tool that you ought to be able to use without having a server.] With an image, you can set up the machines to be identical, and if one is hooped, you can re-install the image.
If you opt not to use the external accounts, it ought to be possible to put the /Users folder on a separate partition, and then, again, if the software becomes broken, you can re-image it to a pristine state.
Regarding the netbooting idea, it is possible to use a Mac client or a Linux box as a netbooting server, it is just a lot easier using OS X Server.
If you don't want to store any user preferences etc. and if there are no personalized accounts at all for the students, I would do the following:
Normally, non-admin users should be unable to modify stuff outside their account (like the Applications folder), but to be sure, you could regularly use something like Carbon Copy Cloner (Bombich again) or even Apple's Image server, which comes together with the server version of MacOS X and restore the whole system into a known good state.
Also, you could think about if OS X server wouldn't be a good investment, as it allows much more detailed restrictions on the configuration of both computers and users. A 10 user version would be enough if you don't require file sharing, and as an education version, it's not too expensive.
Another option to consider is using guest accounts. The user logs in as a guest, they do their work, save it onto their hard drive, and log out. The guest account is deleted.
The only problem is that iMovie, iPhoto, etc, expect to find a user's files in a specific location (although I believe they can hold down the option key while starting these programs to tell it where to find the media -- it just isn't a friendly option!).
Define "Student-proof".
All we do at the college I work at is set the template account up ( /system/library/User Template ) how we want student accounts to look and then give the users normal user rights on the workstations. We see very little to no trouble with this approach.
Would that do? If not why not? (just to get an idea of what your needs are).
We have actually added our Macs to Active Directory. This doesn't really place a burden on AD, simply allows the workstations to get user authentication and details from a source that already exists.
What kind of access are you wanting to lock down specifically?
As said by others and as a stopgap, I would recommend by starting with a standard image across all of them - that way if you have an issue with a computer you can just reset it to back to the image in the event of issues.
To use programs such as Final Cut, Adobe CS, etc. you don't need to be an administrator (with the exception of Acrobat). Removing Administrator rights removes the ability to install/manipulate the system.
Lastly if you want to avoid them from being able to start up on different hard drives you can enable an Open Firmware password (very much like a BIOS password but only prompts when you try to access Open Firmware or start up off another drive).
You should get OSX Server - it doesn't have to run on an Xserve - a mac Mini or old MacBook will do. Education copies are very cheap and it will give you huge flexiability in how you manage the macs.
You can then use NetBoot to boot the iMacs from a disc image. Every new logon get a fresh operating system.
You could lock them down - but lets face it you will be reinstalling OSX every few months if you go down this route.