Re: refine this method
Here is the list of servers to block in order to frustrate Microsoft Update.
As for "physical system with an actual key which would need to be turned to gain root privileges" you could probably do it with an internal RS232 port, which I think most motherboards still provide. Something like join Tx to Rx with a keyed switch, and poll that whenever someone tries to sudo? Dunno.