OK here goes,
I have been put in charge of securing a shared system with two sets of users. One set is computer savvy and know what they are doing. The other set doesn't know ****. All users run with admin rights (I know ). One of the latter users installed TONS of spyware on the comp. After cleaning, I've taken the following steps:

1. Converted the drive to NTFS
2. Created two sets of users. The first set has been assigned to power users. These people also have the admin password. The other set has been assigned to users.

Now, what I want to do, is really lock down what the second set of users does. [BOFH] I mean except for playing music/movies, using MS-Office and using the internet, they have NO rights [/BOFH]. I am planning to use the group policy editor for this. However, since I've never really played with it before, I can't figure out how to assign settings to only one user or group. All settings look system-wide to me. Please help me figure this one out.