Restricting RDP users

One of our clients has several inexperienced users connecting to a 2003 terminal server. To help protect the server, the following group policies have been enabled:

- User Config -> Admin Templates -> Start & Taskbar:
Add "Log off" to start menu
Disable and remove "Shutdown" from start menu
- User Config -> Admin Templates -> Windows Explorer:
Hide specified drives... (restricting all drives includes network drive letters!)

This hid most of the local drives on the server, leaving just the mapped network drive for the users' data. However, if they started typing a path in any address bar, folders in the "hidden" drives were listed as auto-complete options. To avoid this, I disabled autocomplete (effective for both Windows Explorer and Internet Explorer):

- User Config -> Windows Settings-> IE Maintenance-> Advanced-> Internet Settings