Following up on a previous post about Credential Roaming (aka DIMS): http://blogs.technet.com/b/instan/archive/2009/05/26/considerations-for-implementing-credential-roaming.aspx
With a recent DCR to Windows 7 & W2k8 R2 (http://support.microsoft.com/kb/2520487) it is now possible to filter out specific types of credentials from the credentials that will roam to your AD database.
Post-hotfix default behaviour is to not roam unaffiliated keys, unused keys and smartcard certificates.
The caveats here are:
*this fix has been ported to W2k8/Vista since this post was written.
AD DS database size increases significantly when the Credential Roaming feature is enabled in Windows 7 or in Windows Server 2008 R2http://support.microsoft.com/kb/2520487