Você pode querer olhar para o pacote " Cenários comuns de diretiva de grupo usando o GPMC ", é um conjunto de scripts de política de grupo para bloquear estações de trabalho em várias situações. Acredito que você esteja procurando os scripts da AppStation ou da Estação de Tarefas.
AppStation
The AppStation scenario is used when you require highly restricted
configurations with only a few applications. Use this scenario in
“vertical” applications such as marketing, claims and loan processing,
and customer-service scenarios.
The AppStation scenario has the following characteristics:
- Allows minimal customization by the user.
- Allows
users to access a small number of applications appropriate
to their job role.
- Does not allow users to add or remove applications.
- Supports free-seating.
- Provides a simplified desktop and Start menu.
- Users have
restricted write access to the local computer and
can only write data to their user profile and to redirected folders.
- Is highly secure.
TaskStation
Use the TaskStation scenario when you need the computer dedicated
to running a single application, such as on a manufacturing floor, as
an entry terminal for orders, or in a call center.
The TaskStation scenario is similar to the AppStation scenario,
with the following changes:
- It has only one application installed, which automatically
starts
when the user logs on.
- No desktop or Start menu is present.
Kiosk
Use this scenario in a public area, such as in an airport where
passengers check in and view their flight information. Because the
computer is normally unattended, it needs to be highly secure.
The Kiosk scenario has the following characteristics:
- Is a public workstation.
- Runs only one
application.
- Uses only one user account and automatically
logs on. The system
automatically resets to a default state at the start of each session.
- Runs unattended.
- Is highly secure.
- Is simple to operate, with no logon procedure.
- Does not
allow users to make changes to the default user or system
settings.
- Does not save data to the disk.
- Is always on (the user cannot log off or shut down the computer).
A workstation that uses the Kiosk scenario is similar to a
TaskStation, but users are anonymous in that they all share a single
user account that automatically logs on at computer startup. This is
achieved by modifying the Kiosk machine in a manner described later in
this document. No customizations can be made and no user state is
preserved.
Although user sessions are usually anonymous, the user can log on
to an application-specific account, such as to a Web-based application
through Internet Explorer (assuming Internet Explorer is the
“kiosk application” launched at startup).
The dedicated application could be a Line of Business (LOB)
application, an application hosted in Internet Explorer, or
another application, such as one available in Microsoft Office. The
default application should not be Windows Explorer or any other
shell-like application. Windows Explorer allows more access to
the computer than is appropriate for a Kiosk computer. Be sure the
command prompt is disabled and Windows Explorer cannot be
accessed from any application you use for this purpose.
Applications used for kiosk scenarios should be carefully checked
to ensure they do not contain “back doors” that allow users to
circumvent system policies. For example, they should not allow users
access to applications that access the file system. Ideally, you
should only use applications that comply with “The Application
Specification for Windows 2000”, are Certified for Windows, and
that check for Group Policy settings before giving users access to
prohibited features. Older applications will not normally be Group
Policy-aware, so try to disable any features that allow users to
bypass administrative policy.
The registry entries Run and RunOnce are disabled in
the Kiosk scenario through associated policy settings.