I need to lockdown approximately 100 desktops used by students. They are all part of Win2k3 domain. They are all XP Pro, fully patched.

By lockdown, I mean... They (users in the Student Group) can make NO changes to the workstation. They already have roaming profiles with their "My Documents" on a network share. Kids are installing stuff and modifying desktop/display settings, and just being general nuisance.

Is there an elegant way to accomplish this? e.g. push GPO to all desktops?
Is there some doc somewhere of best practices for lockdown?

Also, unrelated but.... is there a tool (free?) like MS Inventory Analyzer that I can run to identify all software installed?