ok,

first let me respond by saying that - if an organization has 45 production servers - then they also need the infrastructure to keep all workstations logged and patched automatically (IT dept's problem - but very doable)...

secondly, in many environments (especially large corporate retail) developers must write, test, and deploy automated jobs every day, all day - it's just a fact of life and there's no way around it - and that's exactly why i say put sql server on the developer's boxes that need to run the automated jobs - that way you can setup rights from those boxes to the servers that allow jobs to be run, but that's it....this is how you will implement the last piece of the security puzzle without clamping down on production (and that is what it's all about - production)

lastly, there's no happy medium to security anymore - you get your IT dept to put automated norton or mcaffee on every box, install a policy on every box that dis-allows installation of 3rd-part software, and you automate patches and updates once a day or once a week - then you implement a strict policy about the workstations - you can do all of this and still provide an open dev network w/sql server and all of it's features..!

and you will find that the IT dept will be very open to creating policies on the dev boxes.

good luck!