I've managed to lock things down fairly tightly (it was mmc.exe I had to make available to get at the group policies!), thought there are an awful lot of things which need to be 'taken away' and I had to explicitly say 'don not allow explorer.exe to run' or else the <windows>/E key combination would start it.

I've not yet managed to apply it just to a single user but shall persevere after what you said, although I thought such faciities were only available if Active Directory was in force.

I'm not looking for a total solution; I know there are lots of ways I can get round it, but I'm just looking to stop the enthusiastic kid and he'll tend to give up if it's not easy and what he expects ;-)

Of course, it's made even more difficult by the fact that the base unit is locked away!