About the best you can do in W2K is to keep users in the regular users group and
use ntfs permissions to minimize places where they can install software. In
particular the root folder needs to have ntfs permissions changed to allow
everyone/users only read/list/execute permissions. There is no way to
effectively lock down an administrator account which would create a denial of
service attack vulnerability if it was possible. Group policy could be used also
to further try to restrict users by including setup.exe, install.exe in the do
not allow Windows programs in Group Policy under user
configuration/administrative templates/system. That will not work if a user can
rename a file however to bypass the restriction. --- Steve
