It may be very hard to keep them from installing everything, but making sure that
they are a regular user is a good start. Unfortunately the compatws.inf template
loosens ntfs permissions quite a bit. You might want to contact software publishers
to see if they can recommend permission changes that would allow regular uses to run
the application with default security permissions or use free tools such as filemon
and regmon from Sysinternals to try to track down necessary permissions yourself.
http://www.sysinternals.com/
It might help to configure Web Content Zones to disable downloading of files from
unapproved sites and generally harden Internet Explorer settings as described in link
below which can be implemented domain wide.
http://www.jmu.edu/computing/info-security/engineering/issues/ie.shtml
I don't believe regular users can install .msi files unless they are published or
assigned. Anyhow there are Group policy settings to control that - look under
computer and user configuration for Windows Installer settings and be sure the
"always install with elevated privileges" is disabled. You can also use Group Policy
to some degree to control application execution, though it can be worked around by
renaming files. Windows XP Software Restriction Policies are much more powerful in
controlling software use.--- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525