In these times of economic woe, you have to get clever if you want to stretch your budget. And one area where we spend lots of money is supporting in-house users.

I see the problem this way: At one end of the spectrum, you lock down users to the point that they can't breathe unless you give them permission.At the other end, you let them do whatever they want - the "anything goes" approach.

The former strategy, lockdown, has some major benefits: You don't get any surprises, or at least very few. Costs and labor are manageable, on the whole, because you know the dimensions and scale of everything. And there is no opportunity for deviation. If a particular software title isn't corporately sanctioned, it isn't an option.

There's a cool utility called DeepFreeze that can make such a strategy work. Published by Faronics Technologies, it locks the configuration of PCs running Windows 95, 98, ME, 2000 or XP, and wipes out any changes made in the previous session when the system is restarted. (You can assign areas where changes will be preserved from session to session.)

DeepFreeze is used widely in education environments, and as far as I can determine has yet to be hacked, though many have tried (the company runs a "Crash this Computer, Win $500" challenge at trade shows and so far, no winners). 2600 Magazine (aka The Hacker Quarterly) recently ran a story on DeepFreeze, but it was really a discussion of what the product does and had no helpful hacking advice.

The pricing of DeepFreeze is pretty good: 10 seats with a one-year maintenance package works out at just less than $42 per seat - at 1,000 seats it drops to $10 per seat. Faronics also has an enterprise version in the works to provide centralized administration.

But the key to making lockdown attractive to management is to minimize the cost of support. For example, you might require all support requests be conducted through a Web interface. The goal is to diagnose whatever problem the user has and give the user the information to solve the problem.

Then if your machine is really dead, tech support will replace it. And the crucial thing is that they will wheel out the old one with no futzing around; anything that isn't backed up never will be seen again. Doesn't matter what is on the machine, the rule is that the machine will be serviced if possible and returned to the replacement pool. End of story.