We are late to the Windows 7/ZCM party, and we began upgrading computers to Windows 7 with ZCM 11.2.4 early this year. Since then we have been having random problems related to policies and profiles, and I could really use some help. Although we are having three significant problems, I will start with the main issue. Sometimes when our staff log in, user policies do not work. Although ZCM reports that they are effective, I can tell they are not working because, among other things, the user has all icons in the Windows Control panel when they should only have a few. This problem comes to our attention when staff report that they cannot access any secure web sites through IE. We have been unable to determine whether this is as a result of the non-working policy.

Our environment:
Windows 7 Pro SP1 x86 and x64
ZCM 11.2.4 on one SLES 11 server
All workstations running 11.2.4 agent
Roaming profiles saved to OES home directories
Computer and user group policies
Staff user policies consist of a base policy for all users followed by another user policy with adjustments for staff
DLU: Both students and staff have DLU with volatile local users. Students' local accounts are not cached, and they do not seem to have the same problem as staff, whose local accounts are generally cached so that they can take their notebook computers home.

What we know:
At any given time the problem only seems to affect a certain staff member on a particular computer. They can move elsewhere without the problem, and others can use the problem machine without issue.
Deleting the user's profile on the problem computer fixes the immediate problem.
Configuring the user with a DLU policy that does not cache the local user account seems to fix and prevent the problem.
The problem seems to be triggered or at least more common when a staff member users more than one Windows 7 computer. Those who stay on one computer all the time don't seem to have this problem.

Other issues we're having, in case they may be related:
Occasional problems with the Computer group policy failing - Generally fixable with "zac cc" followed by "zac refresh"
Random messages on logon or logoff about being unable to completely sync or access the roaming profile

I've been unable to find any messages in Windows event logs or the ZEN agent logs that have been helpful to me. I'd very much appreciate any insights and troubleshooting assistance on this. Thanks.