Group Policy in combination with ntfs permissions would be the way to go. XP
Pro would be a better choice due to Software Restriction Policies. For
Windows 2000 look at all the options under user configuration/administrative
templates to restrict users including system where you can specify "run only
allowed Windows applications" though a user could possibly rename an
application to be what is on the allowed list to allow the application to
run. Be sure to read the full explanation of any setting before implementing
it and understand that by default local Group Policy applies to every user
that logs onto that computer if the computer is not part of a domain. Ntfs
permissions should also be used to not let users write to the computer and
not execute applications or files that you do not want them to run. Check
the root folder, the user profile for the account to be used, and the all
users/application folder for places users can write files to. If you use the
built in guest account for logon, the profile for the guest user will not be
saved after log off. Just keep in mind that enabling the guest account will
allow anyone access to shares on the computer that include everyone group
for share and ntfs permissions. You can also tweak IE Web Content Zone
settings to prevent users from downloading files via IE. --- Steve
