W2K Security Policies – implementing off

We have just bought a number of laptops for our Rep’s, on each laptop we have an Admin Account and a User Account. I would like to implement some security model so that each user account only has limited access to certain areas of the machine (e.g. No Access to Control Panel or Internet Explorer etc.), under NT I implemented this on our network with a local security policy. How can I achieve the same sort of thing on a standalone laptop not connected to our network, as I understand it the GroupPolicy editor on W2K only works for machines connected to a network? If this can only be achieved by changing registry settings manually how do I find out the relevant registry settings?