First, you can prevent users from accessing any computer over the network by locking down the user right "Access the computer from the network." By default, this right is granted to everyone, administrators, users, backup operators and power users. Remove groups that should not have privileges. For ideas on this you might refer to the security template prepared by the Center for Internet Security. You can also use the "Deny access to this computer from the network" right to explicitly deny groups access. This should be done in a group policy object (GPO) and linked to the organizational unit (OU) within which the computer accounts live.
Second, for those servers to which users must connect (file servers, e-mail servers, etc.), don't use these settings. Instead evaluate the group membership users have -- ordinary users are not privileged to use many tools used to manage a computer.
You can further restrict their abilities by using the Administrative Templates portion of the GPO to block view and use of common tools, such as those in Control Panel and from manipulating many settings. Spend some time investigating these settings -- you should find many that will help. You should also investigate the use of NTFS permission settings on tools and utilities to block the ability of ordinary users to run the tools. These permission settings can be set in a GPO as well.
Finally, for XP, there are software restriction policies, useful tools in preventing the use of software -- while allowing administrators to use it.
This was first published in February 2003