Locking down a workstation

I have an NT4 workstation with PC Anywhere host installed on it. I want to lock it down so that a user logging in can only issue a Start, Log on as a different user command set. Specifically, I want to prevent anyone from being able to browse the system through Explorer, Run, IE, My computer, etc. I presume a policy is the right solution, but need some assistance developing one – any suggestions would be helpful.