The most effect way to lock down is to specify the allowable executable files in the registry under [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun].
Richard is over stating the case against Win9x. It can be locked down but it is harder than with Win2000 machines & it in some cases less effective. The problem is Win9x ships with all security turned off by default plus Win9x has extra vulnerabilities in the DOS boot up, MSDOS.sys, etc that Win2000 doesn't.
This issue has been discussed a lot in the past (i.e. locking down win9x) especially a few years ago. Do a forum search on this in the starters & scripts forums & I am sure you will find lots of info.
The problem with a mixed Win2000/Win98 environment is the best & most effecient methods for locking down machines is quite different between the 2 OS. With Win2000 the policy & group policies environment is rich & robust while in Win98 it stinks & the most effective approach is to abandon policies all together & manual control everything from your scripts.
My personal observation is school's are not at all like work environments & most discussions on the web concerning security are irrelevant to schools. In a school security means physically protecting the hardware & software from damage by students. Protecting your network from outside invasions is often a minimal concern or even irrelevant. Also it is impossible to stop students from degrading & damaging both the hardware & software. The number of creative approaches they can find to damage the hardware/system are truly amazing. Even Win2000 labs with bullet proof policies will loss 1 or 2 machines a month.
In this context, a good system rebuild function is an imperative if you really want to keep a lab up & functioning consistently. You need a system which will automatically rebuild the system OS over night. Something like PCRDIST or GhostWalker or SMS (if you can afford it) are vital.
_________________________
Jack
