The only thing I could come up with would be to remove USB/CD/floppy from the available boot drives, and set a BIOS password so it can't be changed. I know that on desktops, you can clear the CMOS pretty easily if you have physical access (which we're already implying is the case), and that usually clears a BIOS password. Not sure if you can do that on a laptop. Is there any way to harden Windows against this type of attack? Encrypt the partition?
I'd love to hear everyone's opinion on this.