Alright my company is looking at bringing a school of about 150 students onto our solution which basically provides a ts/citrix desktop for users to access files and such.

My question to all of you is what are some basic security concerns about an enviornment like this once a person has a username/password.

I use Nessus to secure from outbound however my concern is now people with usernames/passwords already.

I have found a couple of things and have questions on them as well.

Ability to right click my computer and pull up properties(not able to change anything but things are still viewable)
Ability to download batch files/scripts and run them(I know you can do a group policy to disable this but what I'm not sure on is wether it has to be applied as domain wide or not)
Ability to right click the start button and select explore(I don't know how to block this one)

I'm looking for a way to lock the users down to only running things like office. Accessing a share/home drive and saving files and such.

Please assist.