I'm working on setting up a small SBS2003 domain. The company is migrating from a Windows 2000 Workgroup. The main reason for doing this was to better secure the workstations so the employees aren't always screwing them up. Well today I found that their main business application will not run without adminstrator priviledges, so I guess I'm going to have to give every employee and Adminstrative account. How in the world can I lock this network down? I was hoping, to keep the employees from being able to install applications, keep them from downloading anything off the internet, turn off Active X controls, turn off the Run dialog, Turn off the control Panel, etc. etc. I was hoping to do all this with Group Policy, but now that this dilemma has come up I'm at a loss. Can I still make these employees Adminstrators and achieve this type of security? This is very time sensitive so I appreciate your help.