Lock down Local Area Connection properties...even for administrator accounts

Hi everyone I have a little conundrum. I want to change the DNS server settings to all our roaming computers in the company so that they point to a cloud based security service. There are 2 accounts on these machines, one is the general administrator account and the second is the user account. The user account unfortunately has local administrator priviledge because many of the enterprise apps require it. My question is....Is there any way that I can lock down modifying local area connection TCP/IP properties for EVERYONE in Group Policy editor or some other way to prevent savvy users from simply changing DNS server entries?

Edit: These are WORKGROUP type computers running mostly Windows 7 Pro and a few XP Pro instances.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DonNetwork AdministratorCommented:
Sorry....Since you say "The user account unfortunately has local administrator priviledge..."

There is absolutely no way. A savvy admin will ALWAYS be able to undo what ever you try and do.
carcharias75Author Commented:
I understand that there will ultimately be a way to undo it, I am simply looking for a way to make it harder. Example, by disabling the Allow change proxy settings in the local group policy editor any user would still need to know to launch the group policy editor, find the appropriate key and modify it rather than just change the proxy settings directly into Internet Explorer. I realize my hands are tied but I still need to workaround their local admin priviledge somehow.
DonNetwork AdministratorCommented:

In that case look over

Configure network connection restrictions with Group Policy
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

DonNetwork AdministratorCommented:
And maybe even

Disable Control Panel

Don ThomsonCommented:
With a little bit of experimenting, you should be able to create a new "Semi"Admin group that only has the privileges to run the apps you need to have them run.  Then get them out of the "Local Administrators group"

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
carcharias75Author Commented:
You read my mind. I set up a lab environment and went totally granular on required privileges and got them off the broad local admin group.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.