If they are resetting BIOS passwords, theyre prob just rebooting the machine and going into the setup. You would do well to not allow them to shut the machine down! 1. Can you make the physical machine non-accessable to them?. 2. use a local security policy, in user rights assignment there is an option called "shut down the system". Take out the "users" group from that policy, and make sure all the students are under the users group (network wise).
Since you have a company running the network, they can do this easily via a logon script, generated from their end. Ask them to do it, that will propogate to all users who belong to that group. On your end you'll just need to physically lock up the machines (so they can't do a hard shutdown/reboot).
