Hi
For protecting against a program that boot and change setting on your hardisk I suggest to use BitLocker to encrypt your local disk, and the remove the possibility to boot from usb device from the device BIOS. (and to password protect the BIOS)
For protecting your network you can use IEEE 802.1X Port-Based Authentication, but it's costly. It a RADIUS method to make the device authenticate to gain netwrk access. If you can't use costly method I would make sure only your devices can get a IP from the DHCP, and disable unused network port from your switch.
For adding a layer of protection against virus and firewall you could setup AppLocker's rules, to prevent unautorized app to run.