What's the most devious thing a user has ever done that you've had to deal with? Obviously, we've all seen quite a lot of malice from unfriendly users, but how about from so-called friendly users?
In my case, I think it would have to be ping tunnel: using outgoing ICMP packets to carry an SSH tunnel to circumvent the firewall. [Full disclosure: I contributed toward the Windows port of this tool ;) ]
(reopened as community wiki)
I used to do system-wide 'blackhat' consultancy for one of those big IT companies. We always found that the client companies were very good at hardening their routers/firewalls/servers etc but terrible about sorting out their human processes.
One such demo we gave to a client had me using their conference room speakerphone to call directory enquiries, ask for the client's main reception number, call that, ask for their tech support number, call reception again ask for their Financial Director's name, then call their tech support claiming to be the FD, had to be a bit loud and 'boss-like' but they very quickly reset his password and gave it to me, I dialled (they used MS RAS) into their system, logged in and sent myself an email saying 'You got the job!' - all in front of the FD concerned.
Basically people are always the weak point and you don't have to be that sneaky to get around them. That said I do know of competitors who dressed as Police to gain access to our offices, luckily someone called 'their branch' to check up on them and they literally ran away once confronted.
Most devious?
I set the default login picture for all users to a picture of Pedobear.
For the guest picture, I have set up Pedobear with a thumbs up with the words Pedobear Seal of Approval
Nobody in the company knows who is Pedobear and they just assumed that the bear is a cute cartoon character.
Its been two months since I did this. Many have already changed their user picture but the guest picture is still there.
...and no, I'm not a system administrator but that's what happens when I have to spend one weekend installing Vista on all the laptops and computers at the company.
More devious than a ping tunnel might be a dns tunnel - but it's pretty much in the same ballpark. Both usually work (though dns tunnel more often) for pay-to-use public wireless access without paying by the way - which might be nice to know if you manage such services^^
On the opposite scale of sneakiness, but almost as bad, a whole department kept everyone's passwords written on the inside of a kitchen cupboard. Just so they could unlock each others computers at the reception disks in case someone forgot to log out... the kitchen was frequently used by visiting contractors.
Another typical problem is a user that just refuses to work with computers, and secretly lets a co-worker handle his or her necessities like time reports and checking the e-mail. This took a while to discover as it was a remote office where everyone knew but didn't care about this - they just helped their friend.
I worked as a sys/app/net admin at a high school (age 11 -> 18) and discovered that the laptop I got was the one my predecessor used (he was on sick leave), before formatting the machine I made a backup of the HD in case there was anything on that shouldn't be deleted.
After some while my manager asked me to files that might be on that laptop. So I searched the backup disk but only found the records and photos of children aged 11 to 14 and only the female ones and only of a particular hair colour.
I reported my findings to my manager, but I can assure you that I was pretty spooked.
A user knew that he couldn't get around the firewall filter for web browsing, but found a way around it. He had a group of 5 friends, and they would email a dirty picture in an email attachment in a ring between them all.