The issue of such security always starts with physical access. For instance if I am given physical access to the PC there is little you can do to stop me from booting my Windows 2000 CD and doing things with it's Recovery Console. Hint: there's something no one told you. OR better yet, a KNOPPIX CD. All too easy.

There is one area that stops even an administrator cold but there is a heavy price. EFS does work, and can keep the admin out of my files but the management of the CREDENTIALS is beyond most.