This may or may not help you but at work I created a group policy that
redirects users' desktops to a another folder and that folder is a
folder in a fileshare with the permissions on the share being read-only.
Multiple subfolders are in the fileshare, one for each user group
so the various group policies that define the redirected desktop have
different paths. Any administrator can simply copy files into the
various desktop folders and within a split second all users see the new
files but the users are not allowed to put anything on the desktop due
to the share permissions.
