You can restrict users from accessing or changing many display properties in Group
Policy via user configuration/administrative templates/control panel/display. You
would have to either put those users in their own OU where you would apply those
restrictions via a GPO for that OU or configure it at the domain level or other
common level and filter the policy so that it applies to only the users in a specific
group. See the link below for details on Group Policy filtering.
http://support.microsoft.com/default.aspx?scid=kb;en-us;322176
To control internet access as you wish something like ISA firewall is the best
solution. Otherwise if the users are confined to particular computers you could
disable default gateway on their computers assuming they can not reconfigure it,
configure the perimeter firewall to block outbound access based on their IP addresses
which would need to be static or possibly reserved in the dhcp scope so that it would
not change, create an ipsec filtering policy on their computer if W2K or XP Pro to
block access, use a personal firewall to block access to the internet, or try using
Group Policy to assign the users a bogus proxy server address which would work only
for Internet Explorer and only if you also block their access to disabling the proxy
address. You can also use firewall/filtering to allow users access to only certain
internet protocols such as HTTP [blocking chat and file swapping, etc] or even limit
sites to be accessed and use Group Policy/user configuration/Windows
settings/Internet Explorer maintenance and administrative templates/Windows
components/Internet Explorer to configure Internet Explorer to be more secure by
configuring settings such as Web Content Zone security levels even disabling
downloading from Internet Explorer if needed. --- Steve
