Jeebus, this has been done eons ago.
Think X-Terminal, except with horsepower. If you setup a proper nfs-tree and boot-images, configs... among other things. In DHCP you can assign an IP Address to a fixed Ethernet Address. I do that all the time.
Infact only three machines have non-DHCP configured addresses. The DHCP/NTP/Print Serving Consolidator, the primary mail server and another machine for DNS (and webserving and such)
\n# hp9000\n host hp9000 {\n hardware ethernet 00:01:E6:39:45:53;\n fixed-address 192.168.1.6;\n }
That kind of thing. The only thing needed is a good uptime, reliable tftp server. Oh, one other thing... just startx when they login from .profile, auto-login seems like the key here. As they need to use the ICA and a Java App. Fluxbox is good. Blackbox is good. But IMO, FVWM2 is by far the one you want to work with in this regard.
With FVWM2, they won't be able to piss without access. You can even restrict it so that it can't be logged out. As well, you can configure a runlist that only shows WHAT you want. No override possibility if you remove checking for and using the users preference and rc files. FVWM2 is spartan, it runs on the most modest hardware I know of.