Oh yeah, I just thought of one more thing. All of the policies in the world won't help if a user is savvy enough to hit F8 at Win9x boot message "Starting Win9X". This can allow a user to boot to a DOS prompt and all sorts of havoc can be wreaked from there. Fortunately it's easy to disable the boot keys by adding or modify the BootKeys= entry located in C:\MSDOS.SYS to 0. Here is an M$ knowledge base article on all of the settings located in this file.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q118579