I went and pulled these
Are in: run | gpedit.msc
User Configuration\Administrative Templates\Windows Components\Windows Installer—configure--Search Order
"Specifies the order in which Windows Installer searches for installation files.
By default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).
To change the search order, enable the policy, and then type the letters representing each file source in the order that you want Windows Installer to search.:
-- "n" represents the network;
-- "m" represents media;
-- "u" represents URL, or the Internet.
To exclude a file source, omit or delete the letter representing that source type."
User Configuration\Administrative Templates\Windows Components\Windows Installer—configure--Disable Media Sources for any install
“Prevents users from installing programs from removable media.
If a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears, stating that the feature cannot be found.
This policy applies even when the installation is running in the user's security context.”
User Configuration\Administrative Templates\Control Panel\Add/Remove Programs\Disable Add Remove Programs—configure -- Hide Add New Programs page
“Removes the Add New Programs button from the Add/Remove Programs bar. As a result, users cannot view or change the attached page.
The Add New Programs button lets users install programs published or assigned by a system administrator.”
User Configuration\Administrative Templates\Control Panel\Add/Remove Programs\Disable Add Remove Programs—configure -- Disable Add Remove Programs
"Prevents users from using Add/Remove Programs.
This policy removes Add/Remove Programs from Control Panel and removes the Add/Remove Programs item from menus.
Add/Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 and a wide variety of Windows programs. Programs published or assigned to the user appear in Add/Remove Programs.
If you disable this policy or do not configure it, Add/Remove Programs is available to all users.
When enabled, this policy takes precedence over the other policies in this folder.
This policy does not prevent users from using other tools and methods to install or uninstall programs."
User Configuration\Administrative Templates\Windows Components\Windows Update—configure—Remove access to use all windows update features
“This setting allows you to remove access to Windows update.
If you enable this setting, all Windows Update features will be removed. This includes blocking access to the Windows Update Web site at
http://windowsupdate.microsoft.com and from the Windows Update hyperlink on the Start menu and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy also prevents Device Manager from automatically installing driver updates from the Windows Update Web site.”
User Configuration\Administrative Templates\system—configure—disable the command prompt
“Prevents users from running the interactive command prompt, Cmd.exe. This policy also determines whether batch files (.cmd and .bat) can run on the computer.
If you enable this policy and the user tries to open a command window, the system displays a message explaining that a policy prevents the action.
Note: Do not prevent the computer from running batch files if the computer uses logon, logoff, startup, or shutdown batch file scripts, or for users that use Terminal Services.”
User Configuration\Administrative Templates\Start Menu and Task Bar—configure—Remove Run Menu from the Start Menu
“Removes the Run command from the Start menu and removes the New Task (Run) command from Task Manager. Also, users with extended keyboards can no longer display the Run dialog box by pressing Application key (the key with the Windows logo) + R.
This policy affects the specified interface only. It does not prevents users from using other methods to run programs.”
I think if you lock all these you willl have what you want, If you want to be more specific? I could perhaps help more.
Hope this helps