One of my main concerns, is weather or not the CMD / Run does anything.
Probably not as much as you might at first think. What you have done is removed the immediate acess to a utility for a particular user or user group. The utility is still there, and they could probably (?) still run it using a different route.

I may well be wrong, but I would normally associate what you have done with limiting users at the physical access level................ at least with NT 4.0 and Windows 2000 Pro. I am not so sure about XP, and haven't even tried with Vista, W7 or W8.

A few more random thoughts:

1. Rename the administrator account.............. it's hard to find something you don't know the name of?

2. Disable "autorun" .............. it's Microsoft's very own malware installation utility

3. Create a backup image and keep it up to date. It's a lot easier to wipe and re-image if the worst happens

4. Possibly total overkill, but you might look at "Deep Freeze" or similar utility? I know there is a free one out there, but I cannot remember its name.

It holds an image of the "clean" system, and re-installs it on reboot. It is used a lot in schools, public libraries and the like, as it automatically kills keyloggers, sniffers and other malware. This works particularly well if you have stroked your hard drive.