Quickest Compromise

Browsing round Ikea today I saw sales workstations left logged on to a Windows console, and that set me thinking. Our AUP requires users to lock their workstations on leaving them because the default screensaver lock of fifteen minutes is easily long enough for a malicious passer by to compromise the whole network, and I think that's fair enough. But I wouldn't have fancied standing in front of one of those screens trying to hack Ikea for more than about ten seconds. "Hey you..." So what's the quickest possible way to carry out an opportunistic compromise?

1. It's a real console -- a PC screen keyboard and mouse.
2. The logged on user is not an admin or a power user.
3. You can reboot (but not change a password), but the only boot device is the HD. USB, floppy etc. are all closed.
4. Internet access is through a proxy server running a business-access-focussed site category policy

Extra credit for universal applicability, and evading basic security precautions:

• ICAP server running signature checks on downloads
• No access to root of C:\ or anything other than the local profile
• Mo command line, regedit, ....
• Minimal profile in the event and proxy logs
• Hacked user can return to the console and notice nothing

I suppose the key points here are the exploit itself and the phone-home to control it. My mind is running to a binary exploit file, customised enough to pass signature checks, uploaded somewhere innocuous, and renamed after download to the desktop. The phone home is tougher.