@C Yates
No. Why do you imagine I am?
The solution with "need admin access" people is two accounts. FredBloggs and FBAdmin. FBAdmin is either a local account on the box or a domain account that is a member of no groups beyond Domain Users and a group called "Local Access Only" which has deny privs on all shared libraries, printers etc.
Fred therefore _has_ to use the FredBloggs domain user account to access network resources. He can use FBAdmin, possibly via runas, when he needs to do admin-y things. He cannot claim he doesn't have full control of his box because he does, just not when wearing his network user hat. You will of course need to use Group Policy to control the local admin group so that FBAdmin can't add FredBloggs to the local admins group...
You justify this by saying it's not about not trusting him to run his own computer, but _protecting_ him against zero-day malware attacks.
Developers running as local admin all the time are a menace - it's this practice which is responsible for half their crap not working properly for limited users once they release it. Definitely should have the FredBloggs/FBAdmin setup. If it doesn't run as FredBloggs you haven't got it working yet.