I am going to be implementing a Windows 2003 Application Server on a network where users are going to use RDP through thin clients to work on the server. What I would like to do is control access levels of what users can and cannot do on the server. I have seen schools and libraries do this stuff before where items like the local C: drive, Display properties, Start Items, etc are inaccessable to the user. I do not want the users to mess up the server in any way. I want them to log in, have only the shortcuts to the software that they use and that's it. I also want to take away their ability to shut down or reboot the server, because I can just see that happening like 10 times a day when users forget that it's the server and not their workstation that they are rebooting.
I assume that all of these things are done via the policy editor, but looking through it, a lot of the descriptions might as well be written in Chinese. It is also confusing which policy effects what and where to find many of the controls. There has got to be a guide or some software to make this task simpler. Detailed documentation on how the policy editor works and what/how exctly each control effect the system may be sufficent.