One way of achieving the user-unconfigurability would be to rebuild the xscreensaver package with a patch that removed the code that read ~/.xscreensaver. Long-winded but it would work.
At the moment, this feels "right," but also a little over our heads. A frequent cron job that replaces .xscreensaver with our default does not sound so bad, in comparison. But maybe this is an excuse to look at some code and see if I can figure it out (not generally my strong suit :-)).
Actually it's not quite this simple. xscreensaver will also check the X resource database, though settings in ~/.xscreensaver would override the X resource database settings. It *might* be enough to change the filename for the ~/.xscreensaver file in the code to somewhere that users can't write to, such as /etc/xscreensaver, but you might have to specify all possible settings in that file to ensure that X resources wouldn't have any effect.
Paul.
