There's a setting for this. From within the Group Policy Editor
(GPEDIT.MSC) 'User Configuration->Administrative Templates->System->Run only
allowed Windows applications' is the setting.
Once enabled, add all applications the users should ahve access to to the
list of allowed applications. Any not on tht list will not run for the
user.
To restrict all of a certain group of users, move the user accounts to a
particular OU, link the GPO specifying the application restrictions to that
OU, and add Read and Apply Group Policy Allow permissions for those users
(or a security group they belong to) on the Properties->Security tab of that
GPO.
Be cautious not to do this at the domain level, or for all users in any way.
This group policy setting is available in both Windows 2000 and 2003.