My colleague, Dave Field, is doing a webcast for MS on April 9th on how to leverage the extensive capabilities of device lockdown to manage the applications running on your WM device.
This is an area where MS have invested considerable effort into giving the administrator and device owner a very high degree of granularity over which applications will actually execute on your device. As part of a 'defense in depth' strategy, having the capability to define which applications may run goes a long way towards addressing issues over malware and viruses that have been so prevelent in the PC world.
I already know this is going to be a really good session, extremely informative, and well-presented. Dave really knows what he's talking about, and can articulate it in a fashion that can be understood by mere mortals (like me!).