Are you using a windows domain? An updated win2k active directory group policy or a win2k3 group policy should provide plenty of lockdown. I read a little about AppSense on their website and it looks like it does just about exactly what active directory does already. Why add 3rd party software to do what windows can do already?
Haven't really delved too deep into (In)Active Directory Group Policies. I suppose it's a solution, but we would need to overhaul our network. Right now everyone authenticates local for application reasons. MMC would probably work as well, it's just a matter of taking the time to go through it so that everyone can do what they need to do. We already have a couple apps that need a registry mod in XP to work in other than Admin accounts (luckily only a few laptops) and everything else runs under Win2K in PU accounts. We're hoping not only to stop user installs of stuff like screensavers, but also stop drive-by installs of ad/spyware. With everything else like a new ERP rollout about to happen, we just can't afford much time.
All of that stuff is a piece of cake in GPOs. Just make a group policy on your domain user's organizational unit and mess with it DO NOT EDIT THE DEFAULT DOMAIN POLICY!!!!
Always move your users and computers into their own OU and make a group policy there. All the options in the group policies are very well described so you will know exactly what it does.
Disabling users ability to install anything only takes a couple clicks