You are very welcome. It is important to understand the methodology you may often see used at a workplace or especially academia. Group policy is often used from Windows Server to employ Active Directory settings which do several things. The desktop is often times rendered from a template using group policy whenever the user logs into the account. Changes to the desktop, therefore, are not saved. Instead, each workstation functions as a kiosk type machine that supplies limited access to the end user. This is done by using access control lists under a Windows domain to reduce the surface area of the system and give the impression that no modifications to the system can be made. In general, access to areas that would allow for system configuration are revoked using the group policy method and by employing standard accounts.
The restore from image can be done that night using additional deployment software. However, as mentioned before, entire machines can be virtually black boxed to a point that the end user is accessing a virtual machine at all times without giving the appearance that this is the case. This is done by employing software mentioned above for virtualization, including a complete system management solution from VMWare or a combination of methods that can utilize Microsoft Hyper-V and Terminal Services.
I encourage you to access Microsoft TechNet to unravel the Microsoft deployment method as well as the VMWARE website. There are very new methods that simply involve reading a virtual machine hard disk image (.vhd or .vhk). Older methods will require backups and extensive amounts of time.
Either way, both methods will likely require a server for a large number of computers. For a smaller computing environment, you will want to look at standardizing a set up that uses virtualization on boot and restricts access to the main system using Local Group Policy Editor. Needless to say, for the professional approach that you would see for securing workstations in an enterprise environment, you are going to have to make significant investments in hardware and software. The group policy settings rendered through a Windows domain controller described above can often be accompanied by additional software which is deployed on each workstation through the server. In many instances, this software can be Symantec End-Point protection. The one benefit of this software is not simply its virus definitions, but its ability to actually lock down and security harden a collection of systems on a network even further. Web activity can literally be logged and censored from wherever the End-Point server components are deployed. This, in conjunction with group policy, can protect systems on a large network without requiring the use of system images.
However, reverting back to a virtualized system image and using virtual machines in general to protect a network from unskilled computer users is generally a good idea and is becoming widely adopted on public university campuses and in some public sector locations. While the old method of using Norton Ghost or other system imaging software may seem good, it can actually become quite tedious, time consuming, and the least cost effective option: It requires additional hardware, constant reliance on a variably large backup image, and precision incremental backups (if that is how it is being deployed). On the other hand, the virtualization remedy, at least with VMWare's various solutions, simply involves literally flagging the virtual machine image not to save when the system is powered off. In a sense, the "system within a system" model allows you to be the man behind the curtain as the IT director or enterprise management group. You are allowing the end-user to see what the organization wants them to see.
If virtualization or restore from image backup are too much for your firm or organizations costs, than Windows Server 2008 R2 and Windows 7's group policy security features will certainly allow you to security harden the system to a point that installing or misconfiguring the system becomes quite challenging. With the right group policy settings, you can effectively restore the desktop to a template on every log in and ensure that only programs you want accessed can be used. By using this approach first, and then integrating a virtualization schema later, you may be saving yourself some time to see what is necessary. Ultimately, in the end, it is my belief that employee or student training is the most rewarding option. But until that becomes possible, to protect your systems, using virtualized images aren't a bad idea. One main reason is that it is easier to update the transient image file. You can update the file to incorporate Windows updates fairly easily. More information on this here:
http://www.vmware.com/products/view/
In fact, VMWare has numerous products that are designed exactly for what you are trying to do: limit surface penetration of the system by the end-user and minimize the ability of end-users to make policy-level decisions about the systems they operate on a daily basis. Virtualization allows you to do that without the additional hardware.