I know this post hasn't been looked at for a while but I have had the same problem (again in a work environment where I wanted as little interference to the user as possible) all I did was to create a batch file that ran on first boot (I needed to be logged in as admin on first boot to change the PC name and join to domain anyway) which asked the user/admin (me) if this was a fresh install (i.e. fully formatted hdd with one partition) and replace boot.ini if that was the case. It's a bit of a dirty way of doing things but in the absence of obvious prevention I had to make do with a cure. Hope this helps 
Pages 1