EH-Net

So, I was playing around with the Offline Windows Password & Registry Changer (http://pogostick.net/~pnh/ntpasswd/) earlier today (basically a stripped down version of Linux with the ntpasswd tool installed), and it got me thinking. Is there any way to prevent someone from using this tool against your workstation/laptop? I mean, to use the tool implies that you already have physical access, which (in my opinion) makes the attack 90% easier. The tool is able to change or just flat out remove passwords for any user accounts, has the ability to enable accounts that have been disabled, and elevate privileges for users that are not Administrators. It also has a registry editor, which has come in quite handy on more than one occasion.

The only thing I could come up with would be to remove USB/CD/floppy from the available boot drives, and set a BIOS password so it can't be changed. I know that on desktops, you can clear the CMOS pretty easily if you have physical access (which we're already implying is the case), and that usually clears a BIOS password. Not sure if you can do that on a laptop. Is there any way to harden Windows against this type of attack? Encrypt the partition?
I'd love to hear everyone's opinion on this.

I think you listed the ways... block booting and encrypt the drive.

I figured you would say that. :P

Since BIOS passwords can potentially be reset leaving the boot options open again, partition encryption sounds like the only reasonable approach. That being said, is there really any way to implement partition encryption across a corporate network?

Or the obvious answer, just install Linux. lol

I believe Checkpoint Full disk encryption can support network based encryption policies and push out the command to encrypt the disk.  It also handles media encryption as well. 

Our company uses McAfee Endpoint Encryption. Seems to work pretty well.

Thank you 3xban and BillV, very helpful info. I'm really not too worried about this kind of attack, but it was something that crossed my mind yesterday and I just wanted to see if anyone had security measures against it. I hope others can get some use from this information.