All computers are Windows 7 Pro.
The company owner doesn't want employees to have the ability to change passwords or otherwise damage computers if they leave the company under unhappy circumstances.
He also doesn't want to have to call in the outside IT company to put in an administrative password for them every time that there is a Windows, Java, Flash, etc. update. (Although IT can connect remotely with TeamViewer)
Is there any way to set a local security policy to enable a Standard Windows user account to install their own updates, but keep all the other restrictions of a standard user?