Please check your statement above. I have never seen this to be a problem in a default install. Unless a user has some administrative responsibility, or is explicitly given the right to logon locally he/she cannot logon to a server locally. To a workstation -- yes.
Who was the user that could log on? By default, right after install, there is only one user who can logon locally -- the administrator -- as that is the only account. Did you create an account? And then attempt to log on? What privileges or group membership did you give this user account?
Third: the Deny Logon Locally right takes precedence, as do most deny rights, over any "allow" rights. Here's how most privileges work. If you are explicitly given a privilege, you have it. Otherwise, you are implicitly denied. If you are explicitly denied, then any explicit "allows" don't count. So, yes, if you "Deny" logon to the users group, you deny logon to every member, even if you explicitly allow logon.
So, no, this is not a flaw in Windows 2000 server security. It is acting as it was designed, and as most security gurus would want it: deny overrides allow. We want security to fail closed. In information security it's far better that an innocent be kept out of a resource they maybe should get access to, than that an attacker accidentally get access to somewhere they shouldn't be.
This was first published in March 2003