I do a lot of work getting schools set up with various operating systems. One of the things I've been working on (works in my test environments, don't have a test site yet) is having an entire lab running linux.
Things I've noticed work well, mounting the root file system as read-only, this prevents any changes no matter what. You still need to put the home dirs and temp on a different partition that's read/write.
Also, setting things up to be more like a diskless environment works very well, all home dirs are kept on the server (prolly just need 1) and using perl/bash scripts to use nfs to mount that student's personal file area based on their login. This way each student has the same desktop and any changes they do don't get saved when they log out.
You need to integrate LDAP to make this all work seamlessly.
As for preventing students from running programs, the easiest way to prevent it is to not install them, and anything that other users (teachers, admins) need to use, have their login scripts use nfs or take advantage of X servers.
You do need a 10/100 switch for this stuff to work well, but with educational discounts the 3com 24 port super stacks cost like $500.
If you were in the state of minnesota I could set your school up with a demo, but you probably aren't.