If you have a company policy for powering down every night - and many do...

Here's a methodology for handling that:

(1) For the machines running XP SP 2 -- enable the option to "Install
Updates at Shutdown", combined with notification of update approvals, so
that users anticipate the presence of that option when it appears. When the
policies affecting this option are set to "Disabled" (rather than Not
Configured, as documented incorrectly), the user will be presented with the
"Install Updates and Shutdown" option, by default, and the updates can be
installed at the end of the workday.

This entirely eliminates any issue with user intervention, Local Admin
privileges, or issues of restarting during the workday.

For Windows 2000 systems, this option isn't available, so you're limited to
the cooperation of the users, and a scheduled install time during working
hours. In this case, scheduling the install at 4:30, or as late in the
workday as possible is probably the best option. You can also set the delay
before restart to up to 30 minutes, so it's conceivable that Windows 2000
users can totally avoid seeing a restart prompt until after 5pm.

(2) In light of (1), enable the "Reschedule Automatic Updates scheduled
installations" policy to ensure that any XP SP2 systems that do not install
at shutdown, or during the scheduled installation, will be forced to install
at powerup the next morning, after the configured delay. Personally I think
the best option for this is "Not Configured" so that the install happens
/one/ minute after powerup, which has the highest likelihood of completing
and restarting, before the user ever gets back from the coffee pot.

(3) In the event that installation at powerup is just not tolerable, you'll
be reliant on late workday installations. In those cases, I would suggest to
seriously consider the use of deadlines after some nominal period of time..
say 7 days after approval. Particularly if you're not able to ensure
installation of updates without some form of user cooperation.