no offense, sdk, but given that you're the only one familiar with the objectives of the host/environment - and haven't even mentioned what software applications the users will be running...expecting a detailed list of minimum access permissions from others seems a little far fetched. even a "default" lockdown wouldn't serve you well in the terminal scenario. you haven't even stated what service pack you're running.

general rule of thumb: don't ever let them write where they can execute - don't ever let them execute where they can write. the physical or logical barrier between the two should be documented as the write/exec partition; the most widely used locale for this is the user's profile directory. your ntfs permissions should reinforce what you have already implemented at the policy level. approach it from an allowance method - remove the ability to do anything, then add in permissions where needed (again never compromising the write/exec partition). for assistance in debugging needed access turn on auditing.

i've got a hundred-or-so page hardcopy list of filepermissions used in terminal services on an old job, and it's info that is worth far more than the paper it's printed on. if this is something that your company needs - and you don't have the wills to generate it yourself, i'd suggest hiring someone.