The best way I have found to control what a user can do on a windows desktop is to use a registry hack like “Stormwindows”. It will lock out any device, program, or function you want. The program is password protected and has proved to be flawless. Just don’t forget or mispell the password. You can control a users access to running only one program if you wish.
There is also a great deal to be done with windows native poledit