If users only have Read access to the root of the systemdrive,
system files and program files, they can hardly install any
programs at all.
They still can try to install them in their home directory, but
they won't be able to install any dlls or other components in the
default locations.
Start with the following permissions on %SystemDrive%,
%SystemRoot%, %ProgramFiles% and %SystemRoot%\system32:
System and Administrators - Full Control
Authenticated Users - Read & Execute
Make sure that users have only Read permissions on the following
registry keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Give write permissions to specific files, directories and registry
keys if it is needed to get specific applications to run.
To find out which files or registry keys must be writeable by the
users to make an application work under Terminal Services,
download FileMon and RegMon from
http://www.sysinternals.com/. Run
them as administrator at the console, start a TS session as a
normal user and try to run the application.
FileMon and RegMon will show you all "access denied" errors that
occur, so that you can give your users the necessary permissions
on a file-to file or Registry subkey basis.