Typical security permissions

Hi,

I am administering a network of 20 computers some of which are XPs and the
rest 2000s. The server is NT 4.0 In the past a few users have given me
headaches by installing software from the web (intentionally and
unintentionally) which resulted in uncontrolled pop-ups. I ended up applying
very tight security policies that among other things prevents users from
installing software on their machines...actually even downloading files from
the web.

Now it seems to me that this is perfect for a typical user, but what about
programmers...typically what kind of access do they need on their machine.
My programmers do VB and ASP programming.
- Should they be allowed to download? keeping in mind that they might be
creating some web controls or whatever?
- Do they have to be administrators over their machine?
- Please feel free to go to as much detail as you like.

I am sure that granting full permissions is going to give me the least
headaches, but unfortunately in the past one of my programmers installed
something that ended up screwing up his windows. Anyway, I just want to get
an idea of what the typical settings are for a medium sized company.

Thanks.
W