I am currently locking down a companies remote desktop access via a VPN. What I need to do is disable remote printing, file transfer and clipboard via active directory for the workstations that will be accessed. I am having trouble figuring out which GPO's are used to restrict this.
My basic approach is to restrict VPN users to port 3389 so the will be able to access their work computers remotely but nothing else (I will look into layer 7 scanning later). With this I want to ensure they are unable to transfer and data via files, printing or the clipboard.
The environment is Windows Server 2003
So if I understand your requirements, you have the VPN setup so when users connect, they are behind a firewall that restricts all traffic except for 3389 which is used for MS RDP to their desktops to do their work. You also want to restrict users from printing from their work PC's to any external printers, prevent them from cutting and pasting via the RDP session clipboard and transferring files off their PC's.
I think you need to look at this from a network perspective as well as policy settings.
You can create a policy and prevent LPT port redirection under the GPO computer setting "Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do Not Allow LPT Port Redirection". You can also configure the clipboard in the same location.
As far as transferring files from that PC to somewhere else, you will have to restrict protocols at the network layer to prevent SMB, HTTP, HTTPS, FTP, etc from your internal network to anywhere external. If that is already in place then nothing related to the RDP should change that. AFAIK, cutting and pasting of files via RDP is not supported.
Remember if you allow them to access email from their desktop, they can always email files and such out unless you block it on the email server.
Have you considered adding a 2008 server and setting up the Remote Desktop Gateway? In the Remote Desktop Gateway policy you can disable devices redirection.
With A Remote Desktop Gateway the users will not need a VPN client, and you won't have to do anything to the workstations.
The vpn should be established prior to connection to rdp, so rdp should not be exposed to the internet so you don't have to worry about rdp's port useage.
as far as gpo settings look within gpmc
computer/admin templates/windows components/terminal services etc...