If they are NOT local administrators or power users there may be a couple of
things you can try.
Use your firewall to block outbound access to all but unauthorized
ports/protocols to keep them from using file swap, chat programs, and such.
If you can not do that, then personal firewalls or ipsec filtering can be
used on W2K/XP Pro computers to have the same effect. As long as they can
use only Internet Explorer as their browser you can configure their Web
Content Zones to disable downloads. This can be down via Group Policy also
but you will have to also disable the users ability to access at least the
security page in Internet Explorer control panel.
XP Pro computers can be configured with Software Restriction Policies to
restrict what users can install and run on their computers with either hash,
certificate, or path rules. W2K does not offer that and about the best you
can do is configure the allowed only or disallowed list of Windows
Applications in Group Policy/user configuration/system. Be sure to read the
full explanation of any setting before implementing and it may help to add
setup.exe and install.exe to the disallowed list. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525 -- example
of W2K Group Policy setting.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
-- XP Pro SRP