Applying different settings for administrators and users

[XOXO]

hi everybody,

O.K, I am trying to set different permissinos for administrators and other users on a windows xp professional system. Actually what i am trying to accomplish is to prevent a specific user from running any application other than microsoft word. So I tried the suggestions on the following page: http://support.microsoft.com/?kbid=293655

setting permissions for "Hide My Network Places icon on desktop" as suggested on this article worked just fine, however, to accomplish my goal I needed to play around with the dangerous "Run only allowed Windows programs" option. I also needed to add the mmc.exe to the allowed programs list to complete the procedure.

During my tests, what I noticed was that enabling this policy doesnot affect the "Windows Original Administrator" account, which was my luck BTW, otherwise I could have locked all the accounts in my computer. Apparently this is not documented or at least I have not seen it anywhere, So my first question is : Is this what is suppose to happen in this case?

Second question is that, It did not work for me, I did try so many times to prevent a specific user from running programs other than winword.exe and let the other users (admininstrators) have their default permissions but did not work for me. What I am doing wrong?

Third question is that, is there any other way other than the way specified in the microsoft's article to accomplish this? I mean, to accomplish my goal, I had to allow mmc.exe to run but this is a security hole that I knowingly put there. whatelse can be done to only and only allow one program to run for a specific user?

[AdamV]

how are you applying the software restriction at the moment? at what level (OU, site, domain) ?

[XOXO]

oops! sorry that I have not mentioned it in my previous post. I am trying to apply the "Run only allowed Windows programs" policy on a local group policy. No domains or sites or OUs.