The moment an end-user has physical access to its computer, and the possibility to boot from DVD / USB he/she can boot from whatever image that can be downloaded to reset passwords and more. So what you are looking at needs more than just a password on our recovery media
I am actually not sure if the windows recovery image we modify supports password protection but we can look at that. However, I would look more into a few things to avoid an end-user to succeed in this.
1. Make sure your BIOS is protected with a company wide administrator password so your end-users can't change anything (So no more booting from USB or DVD unless you change it as admin)
2. Don't let the boat loader appear so your end-users can't see it. (Administrators know how to get into it)
But in the end, a smart end-user probably knows how to get into it. I know you can password protect booting, but I don't know if you can password protect a single instance in a boot loader menu