I'm testing it using VMware which means I can get back when I mess things up!

I does seem that these setting can only be applied to the machine, although the registry entries do seem to be being made in HKCU, so I may be wrong. The documentation states that windows groups are not the same as these policy groups.

I did manage to lock out everything I wanted although I couldn't get back in again since adding gpedit.msc to the list of programs didn't work. I guess I need to add the Microsoft Management Console application executable itself.