I think you could also do what, in the old days, used to be called "hooking into the GINA chain", but which is less invasive on more recent operating systems, IIRC. I don't know how we do it these days. In the old days you used to just write your own GINA and stick it in the registry. You just had to make sure to properly call the real GINA once you were done. If you messed it up, you hosed the system and made it unbootable. I think the newer procedures for this are better at presenting less risk for OS bricking than the old way, but I don't know what the procedures are.
It also occurs to me that Windows should already have features that allow for a Kiosk Mode setup, and don't require you do to anything fancy with key mapping. I don't know this for sure, but there's gotta be an official Microsoft-sanctioned way of doing this. I'd research to find out what that is.
I don't think Ctrl-Alt-Del was ever meant to be the end-all be-all security protector. Being able to disable it or hook it once you're an admin is a perfectly normal thing to want to do (you are one such example). It's just one layer of possible security.
Gina is not available under Vista and later and the replacement technology does not allow you to replace the "secure logon" process with your own, only to provide additional methods for authentication.
Replacing the shell for a user does allow you to operate windows in a kiosk like mode as there is no shell running, just your application, however the problem still remains with the SAS, you can by fiddling with many registry settings disable all the options in the SAS window so that the only valid response is cancel, but this is not really good enough in a kiosk application as it allows the "kiosk" to be put in a state which may well confuse potential users of the kiosk. (and if all the options are disabled, then why bother showing it anyway?)
And yes, being able to disable it is a perfectly reasonable thing to want to do if you have admin privileges, unfortunately Microsoft have not provided an option to do this. (well, you can use XP embedded) - I'm just musing that I can't figure out why seeing as it still is possible to fake the SAS using a Kernel mode + User mode combination.