For filtering, try SurfControl WebFilter. I use this at work, and it's great. Blocks access to all the naughty sites, and you can also filter out undesirable extensions.
 
Not that cheap, but then you need to protect yourself. It's possible someone might well view a site that causes offense to one of your other customers, and then you could be in trouble.
 
By blocking these sites, you're taking steps to lessen this risk.

to disable deleting icons - check out this thread......
 
http://www.ntcompatible.com/forums/viewtopic.php?t=24563&highlight=
 
kind of tells you how to edit policies for specific accounts.
 
start by looking into gpedit.msc - but changes there appy to all accounts, so u may want to read the links in that other thread.

www.deepfreezeusa.com
 
Worth the investment

I'm sorry I haven't replied to this earlier, what you could do is use a program like System Safety Monitor, which controls what apps can run and what can't. At the moment it is still in beta but it works really well with XP and 2K. What I would do is password protect the admin side of SSM and tell it what can run, then set it in user mode and when they d/l the *.exe it can't/won't run
 
SSM - http://maxcomputing.narod.mu/ssme.html
 
Also another similar program is Tiny Trojan Trap (Now part of their firewall) it does the same thing except it offers more control than permit or deny.

I second DS3Circuit's suggestion of DeepFreeze, it was used at a lab I used to work at, and it's really nice, and virtually invisible to the end-user. I just checked their site, and they have a 60 day trial version for free evaluation if you're interested. You could try it on a few of your machines (provided the eula does not specify only one machine) to see how it works in your environment.

Quote:and I think you can even extend that to IE settings as well... without investing in 3rd party stuff & using native features of this NOS family

You are correct APK, I was just looking out for the guy in the sense of "locking down" his machines further.

If you truly wish to make your own custom IE, look at the IEAK
http://www.microsoft.com/windows/ieak/downloads/ieak6/ieak6sp1.asp

hehe,
 
the only reason i was on that route is thanks to u Alec! - wow, i did learn something from all the posts and reading i have made on here!

A quick and easy way to prevent Users and Power Users from deleting desktop and Start menu icons (other than what they put there themselves. If you want to prevent that too then the way mentioned earlier is probably better) is to move everything into the Start Menu and Desktop folders in the All Users folder in Documents and Setting and then setting the permissions for Users and Power Users to "Read & Execute" (after first removing any inheritance from the higher directory) and then forcing them down the directory tree. I've been using that trick for years on both 2k and XP for just that purpose.