You had all the components of sep installed on that machine, include NTP / Application and device control.
this would me my approach as the laptop is stolen. These steps takes place whenever he connects to sepm
1) create a new group, move the client
2) if NTP is not already installed, follow this to install NTP
http://www.symantec.com/business/support/index?page=content&id=TECH90936
3) download this policy, check block excutables from running, under blocked process use *.*
or *.exe, this would block all the apps, including explorer or even winlogon.exe,
http://www.symantec.com/business/support/index?page=content&id=TECH132337
this policy for that GROUP only
once he connects, he will gone for ever