Speaking as a long-time IT Director/VP for both government and private sector organizations, this is a sticky situation. However, based on the fact that the computers are purchased by the students, it is their computer - not government property. The resources that the computer attach to are government property, so there should be policies in place to ensure that the connections are appropriate and protections are in place. There are methods/technology that can be put in place to allow access to the network infrastructure only from computers that are up-to-date with the latest virus eradication software and verified "clean". This is handled within the network infrastructure of the school, not at the local machine level. Additionally, blocking sites is handled at the firewall - this is perfectly acceptable at most businesses/schools/etc. (FYI, Denver International Airport, which provides free WiFi service to travelers blocks sites that could be viewed as "inappropriate"). If the student is using the USMMA connectivity for Internet access, KP has every right to limit the sites that are viewed.
With all of that said, providing the kids with local administrator permissions (or simply using a global policy within Active Directory) to allow for the basic needs (i.e., changing time, installing software, etc) should be an acceptable practice, and I believe that an easy route was taken by just removing the local user from the local administrative group...it's a practice that I've seen many times, typically by an IT organization that doesn't have a skill level necessary to implement good security, but also to allow for a functional level of operation.
Just my .02 - but I'm quite passionate about this one
