Since each student will have their own AD accounts, making them limited its important, as not only will it prevent users from installing crap, but minimize any chances of virus damage. It would be a good practice to lock down the machines with group policies, that should prevent students from not only installing, but from modifying settings on the computers as well.
To prevent outside intrusions and viruses infections, I would upgrade from Smoothwall to Untangle it offers IDPS (intrusion prevention system) and the best antivirus on the house (kaspersky).
And then I would use deepfreeze as suggested by Sparda to heal the machines.