The New South Wales state Government is incompetent. Let's get that out of the way to begin with.
To follow that, the Department of Education and Training (DET) is, perhaps, its most incompetent branch.
Throughout primary school (the first seven years), security wasn't an issue. At my school, however, nobody was really tech-savvy enough to take advantage of that fact.
The same year that I hit high school (the next six years), the DET started the rollout of their shiny new state-wide network. Possibly the most bloated and ineffective software system I have ever had the misfortune to encounter, and I had to use a desktop running Windows ME for five-odd years.
Each computer had a local generic "student" account, a local generic "staff" account. Each student had an account for network access, as did each teacher (with more privileges) and the admin had the most privileges of all. Each school had a big shared server, which hosted ALL the files for the entire school network. Yes, this means that once the server is full, nobody gets to save things anymore. The local storage on the computer was completely inaccessible, only network storage could be accessed. Students had access Home directory (H:/), with read/write privileges, and a "Student Data" directory (S:/), which was mostly read-only.
Passwords were chosen by the students, and fell under the usual password rules (alphanumeric only + spaces), but with no minimum length requirement. Usernames came in the form Firstname.Lastname(n), where n is left off if you are the first student with this name in the state, and after that starts counting at 1. Everybody logged in to the school server, and teachers and admin got access the other directory, which basically allowed them to connect to the BIG server for the entire state in Sydney. Interestingly enough, my full name exceeded the maximum length for the username field in the database in Sydney, meaning that, while I logged in with the usual Firstname.Lastname combo, to Sydney (and to admins), I appeared as a string of random characters (something like "fhhzwqwqeqwqeqqe#//"), which was effectively indistinguishable from anyone else with a username that was too long. I never used this to my advantage, but I can't speak for any of the others. The interesting part about this is, that instead of being connected to the schools version of our server, I was connected to Sydney's version of our server. Since our schools networked printers weren't connected to Sydney's version of our server, I couldn't print from my own account. I had to pester the librarian every time I wanted to print something, and she'd let me print on her account from a thumbdrive.
That half of the system (known as the school intranet) was reasonably well set-up. Students could be easily identified by interested parties, because their username left no room for anonymity (with the exceptions of those with extensive monikers). The only real exceptions are the fact that Control Panel and the Command Prompt were disabled, but the Run... dialog wasn't, so they could be accessed through Run -> "cmd.exe", etc., and the fact that the local hard drive could be accessed (read/modify privileges, no ability to create new files, and pointless using it for extra storage). This was done, quite simply, by accessing the H:/ drive, right-clicking, selecting "Create Shortcut", and pointing it at C:/
The other half of the system is where the incompetence really shines. The system was rolled out before proper completion, because the school year was starting too soon. There was intent to patch up the issues, but this only occasionally happened. Upon opening a web browser, a dialog box would appear, asking for a username and password. This was the same username as the school network login, and another custom password. So far, so good. The dialog box, for no good reason, appeared no less than eleven times each time a new connection was established. After which, you'd be redirected to a generic "Portal Login" page, and have to login AGAIN, through a fancy web interface. After logging in a dozen times, you are shown a usage policy, which is fairly stock-standard ("No cyber-bullying, no pornography, no offensive content, we can and will find you"). This was accompanied by two options. Agree/Disagree. Disagree boots you off the network. Agree takes you to a launch page for the internet (within the confines of the DET filter bubble). With the initial rollout, "Agree" didn't work. Both links would boot you from the network. Until I tried to use the network, nobody in the school had found a fix, and Sydney couldn't push a fix through for x amount of time for bullshit reason y. Instead of clicking "Agree", I typed "http://www.google.com" into the address bar, and was rewarded with internet access. Unfathomable. That was, however, fixed, and life moved on.
There was also the issue of student email, which was a custom gmail setup, and required a further dozen logins to access. Strangely, my "fhhzafaeggfgff#//" affliction didn't affect this level of the network, only the intranet. Not really sure why. This email account was incredibly bloated, had a filter on it which arbitrarily filtered emails on the grounds of "offensive content", and had the oppressively long domain of email@example.com
The DET bubble operated on a blacklist system, which started with a list of pre-blocked sites, and the list was expanded over time by teachers and admins reporting sites to be added to the list. All well and good, except for nearly every case, because I have met perhaps three teachers over the course of thirteen years who were not completely computer-illiterate. The practical upshot of this is that teachers would not understand what they are seeing, report it, and have it blacklisted by some drone in the Sydney office who just needs to get these reports out of his inbox so he can do some actual work. This year (one year after I finished), this system was replaced with a whitelist system, whereby everything (bar a few necessary websites) is pre-blocked, and if a site is required for a justifiable educational purpose, it can be submitted for review in the Sydney office, and maybe eventually unblocked.
There was also the whole Rudd laptop scheme, which was a shambles from the outset, and the installation of smartboards in every school. I never got the chance to play with one of the student laptops, so I can't speak to how well they worked.
All in all, a decent system, security-wise. I never really tried too hard to get around it, but it would have been traceable if I had. The only really grating part of it is the amount of bloated and unnecessary faff involved. It smacks of incompetence, really.