Thanks for all the replies and good ideas. His case has a lock on it already actually, which is nice for the BIOS password. That can prevent one option I considered, booting with a bootdisk like Knoppix that has web access.
I had considered a hardware router with security, and thought it was the best option, until I realized he could just unplug it and plug the modem straight into the computer.
So the BIOS PW with case lock will stop booting from a disk. I can have a trusted friend or the wife keep the password.
The remaining problem is setting up a new partition. There's 2 ways to go about this - either prevent installation of new programs altogether (maybe use TrueCrypt?), which I'd like to avoid b/c it would be a pain to have to use a pw to install a program each time (though this could be done). Or, if there's a way to simply prevent new partitions from being installed or prevent modification of partitions, that would be ideal (programs like gparted can reduce the size of a single partition as mentioned earlier).
Luckily, this doesn't have to be completely foolproof, but does have to be a significant impediment. He has mentioned that trying to crack the BIOS pw would be too much effort, and setting up a new partition is about as far as he would go.
So, if anyone knows anything about restricting partition formation on HDs, that would be great. Thanks again!