This is more of a productivity question than security. If you want the best possible security, then yes, locking down user accounts will get you that. However, locking down developer accounts will just get in their way. For example, you seem to have everything they will require provided for, but what about:
- Preferred browsers
- Preferred email clients
- Preferred chat clients (if applicable)
- Text editors
- Other tools (grep, Python, Wireshark, etc.)
Your options here are:
- Don't hire anyone who doesn't like your preferred tools (and lose good talent).
- Hire those people but don't let them use their preferred tools (and lose productivity and morale).
- Spend your time researching every tool your developers want (wasting your own time and potentially blocking your developers work until you do it).
- Install whatever tools your developers want (making this policy pointless).
Keep in mind that these aren't general (computer illiterate) users. You're talking about treating people who write software as if they don't understand anything about computers or security. If you can't trust your developers not to install viruses on their computers, why are you trusting them to write software?
It's worth mentioning that you don't want anyone to be working as an superuser, you just want them to have access to administrator tools. So on Linux, your developers should have sudo
permission, but obviously shouldn't be logged in as root. On Windows, your developers will need to be administrators, but UAC can prompt them before doing anything that requires admin access.