I am looking for a way to severely restrict user account access on Windows servers. Is there a way to programmatically do this? I have found a few options like forcing a user to start in a program other than explorer.exe such that it is the only thing they can access, and once they exit, they log off. I would want them to be able to do a handful of different things: run a few different apps, control printer setup, and start/stop a couple services. Am I asking too much? I'm prepared to write an application to do all these things, but I just wanted to know if there's a way to create a limited account using just pre-existing Windows settings. I could write this in VB6, VB script, a batch file, or C++. I guess if I were to write the app to do everything, I would need a way to programmatically change the start up for the limited account.
SnapOverflow
You want to take a look at Group Policy. I'm assuming this is in a domain, otherwise you'll have to do it on a per server basis. You should be able to do most of what you want without resorting to writing custom scripts, although the older versions are less inclusive than the current GPOs.
As an aside, is there any reason you're using such old versions of the OSs?
There should be no pressing need to write a customized shell for this purpose, especially since even a restricted shell can be circumvented in numerous ways. What you can do is