Sorry for OT but; I have to disagree with this: "Yes there are a lot less malcode variants in existence for Linux but that does not mean that Linux machines do not very commonly become infected as unfortunately they do". This depends alot on how you define "very commonly".
I don't have any figures at hand, but i'm willing to bet that the relative rate of infection (that is, number of infected boxes/installed boxes ) is several orders of magnitude higher for windows vs linux. Probably even if you'd compare only recent versions of desktop windows (say vista + 7), versus the entire installed base of desktop linux variants. This is not entirely the fault of the OS, the users are many times to blame.
However, saying that linux boxes are very commonly infected is bending the truth quite a bit. In my experience (i used to be a linux/windows/netware sysadmin) an infected linux box is a very rare animal. That doesn't mean there are none, or that linux is impregnable by design, but to hint that the infection rate is even comparable to what you'll see on windows boxes, is like comparing raspberry seeds to giant pumpkins
OTOH on a "poorly protected network" it doesn't really matter what OS you run, you'll get in trouble one way or the other, sooner or later.
In the case of a properly setup (Linux or otherwise) school environment, the client machines would have 0 incoming ports open, and the users would not have root/admin access, so both the attack vector and the amount of damage possible would be very limited. A per client firewall should not even be strictly necessary, there should be nothing (not even inetd) answering incoming packets in the first place. However,a very basic filter (e.g. iptables) could block any traffic (incoming & outgoing) that is not explicitly allowed, to make sure no user installed software is doing anything nasty.
If boxes still get infected due to some oversight or malicious users, you fix the hole on the network-hosted OS-image, and reboot the clients off it, problem solved. Since the other clients do not have any ports open, the infection will have a hard time to spread. If you manage to get your network-hosted OS-image infected, you should be looking for a new job, for several reasons
Back on topic:
There are client/server school linux distributions , eg. "Skolelinux" that are for use cases exactly like this. I have no personal experience of them, but i'm sure they could save a lot of money for a school with limited funds. If needed you could have a mixed environment where windows-only software could run on a terminal server with a limited license count.
I would guess that using the PI as a desktop replacement may be frustrating, mainly due to limited RAM, but it should be very good as a thin client. I'd suggest using the old computers for thin clients, invest in a server box (or two) to run a terminal server (windows/linux/whatever) and replace the old boxes with PI's as you go. The servers could well be homebrews based on quality desktop hardware, you get a lot more bang for buck that way than buying brand name servers.
Designing the whole system may be some work, but it should be relatively easy to manage if done right, lot's easier than managing some 90 desktops independently.