Sorry I don't have much to add here, but I did notice this one line below.
I think some/much/all of the value of a 1-1 comes from the learner's ability to personalize their experience.
Locked down machines may be counter productive to that end.
Students also seem to have some/good/sufficient exposure to iPads (you have two carts) that might push you towards Chromebooks as a way of broadening their experience? and as an experiment?
Given the choice of device, our 1-1 teachers put iPads at the bottom of the list (they would like access to an iPad cart however).
My latest thought is to run BlueStacks on a windows machines, so that the learner has access to a limited virtual tablet experience running over their main OS.
that we can lock down to focus on our Google Apps, making it a school computer.