saddly i fear that the solution "out of the box" is the only way to follow when someone likes to deploy workstations in a small/medium/large environment `-(

This is certainly true if you install the workstations using the provided setup tools: I've had some success in installing and then copying a "secure" workstation on other PCs, as in: install & configure what you can, apply known fixes, create a disk image and "clone" the system to other computers using tools like Ghost, DriveImage or GNU parted (or even dd :-), then add required local customization (hostname, X server or computer name and video driver, depending on the OS). You are obviously limited by the flexibility of your OS' configuration structure and drivers (linux/unix do a very good job in this area compared to Win*.*) and by how many (wildly) different HW configuration you have. For our LAN (around 100 clients) this works rather well, and I'd say on larger LAN the gains are even greater (if you plan carefully your PC purchasing). The BIG problem that remains is updates installation. In Linux something has been done, but the tools are so primitive that for now (IMHO) it's still better to do it yourself (lest someone ends up eating all your file descriptors after 25 days...). On windows you are on your own even with SMS and the likes, since windows "packages" tends to nuke your machines when they find something "strange". Maybe now that Microsoft "innovated" the MSI (Microsoft installer) package idea from the Linux world something will change, but I doubt (since sometime I got nicely "nuked" with RPMs too, and many windows people cannot test their installation on a significant number of different system). I'd say that the problem boils down on the amount of "LAN environment planning" you are able to do before you start building the LAN or when you're about to do a major upgrade. Obviously in the most common situations this thing is very difficult to do because of all the pressures from users and other problems, and in the end this become the main reason for unstable and/or poorly secured LANs. I've had more than an argument with all my "bosses" over the year on these kind of things, and only sometimes I've been able to convince them... (this is a sad job! :) Ciao, Roberto.