I deal with this a lot from the Network Engineering side. Programmers here are normally given a bit of leeway and respect because in theory they're professionals and will follow security protocols without needing their hands held. So best policy is to try and get them to comply informally.

Methods for internal resolution are for the team to police each other as outlined in other answers by a system of small harmless punishments. But in my opinion better if the manager just makes it mandatory.

But when they're recalcitrant it's fairly easy to fix formally.

The solution was for the manager to tell the programmers that they either sort out their security themselves or the engineers will come and lock peoples machines down and enforce group policies... this usually did the trick pretty quickly. Usually it doesn't even have to be followed through with.

A non confrontational way which I use a lot is to get the Network Engineering Manager (in this example, me) to attend a meeting and spend a couple of minutes politely telling the programmers some home truths. This takes any uncomfortable issues off the Manager and coming from a third party who can actually enforce things is a good strategy. I just go in introduce myself, apologise for taking their time and outline simple network security policies that MUST be enforced as part of my role. Treat them like the professionals that they are. Ask if anyone needs to know how to lock their machine, take any questions they might have, thank them for their time and leave the meeting so they can sort out how they want to do it (I don't want to know about baggy pants or donuts or pizza). Even just an email to their Manager will be enough usually, he can then forward it to his team and discuss it at their meeting. The crux is having it come from the authorised third party.

I have only rarely needed to actually do it, this goes for any group of professionals or elites within a company, I have used this method with pilots, doctors and lawyers as well as programmers.