Windows

Hmmm .. you said you have problems with user installing programs and games. I sugest you to make them simple users in your domain (they don't have the right to install programs on their computers), change the local administrator password and never give it to anyone. That's it! If the users have to share folders so that they can communicate - create only one folder in each user computer - under the local administrator account - and share it and that's it.

Viadolar has it, but most users don't need a CD Rom to do their work. Just remove the CD Rom [same with the floppy drive] or take the data cable off.

Assuming you are using a domain, you can also use group policy to hide control panel, the local disks, and limit what programs a user can actually run.

All the above selections are perfectly viable. If you want to be even more heavy handed, you could purchase and install a program like:
Deep Freeze (http://www.deepfreezeusa.com),

Fool-Proof (http://www.smartstuff.com/fps/fpsinfo.html), or

Clean Slate (http://www.fortres.com/products/cleanslate.htm)

All of which protect the computer by returning it to a known state at power-up, un-doing any changes made by the user. At least one of them (FoolProof, I think) can lock down so hard that a "no-no" message is displayed if the users tries to drag a icon to a different area on the desktop.

All a matter of how far you want to go...

i think method will work but method 4 is a little extreme especially when you have to pay extra to handle things.

To add to those already good suggestions, here is what I would do (to make my life easy) :

Leave the cdrom in the system but disable it. either through hardware like disabling the secondary ide or through computer management (under removable storage) in each PC.

Or you can use group policy. Under group policy, you can make all CDROM as D drive and then disable access to D drive. OR you can specify to disallow installation of program from removable drives under "windows installer" group policy. But then this does not mean they can't copy the installation to HDD and then install from there.

I guess it all depends on how extreme you want to implement the policies. If the network is small, my preference would be to limit the cdrom access only to administrators. That way, if the users really need to use the cdrom, they just give you a call and you use "run as..." to give temporary access until the logoff.

If you have large clients, the best method is to use group policy but as you know group policy takes time. But then really have few methods to implement this. For example, you can allow only certain person to use cdrom (someone you can trust or manager). This cdrom is shared among a few person maybe among same deparment. So, blame it on this person if you find that department is playing games.

Hope it helps...

We resolved the problem completely by incorporating statements in our Information Security Policy that say before any software is installed on a PC you must get the approval of the IT department.

This not only prevents games and such from being installed; it protects us from unlicensed software being installed which creates a liability for the company.

All employees receive the policy when they are hired. I follow up with new employees a month later to see if they have any questions. Once a year, employees are encouraged to reveiw the policies and if any changes are made, everyone is required to read them and sign a statement saying they understand them.

If you violate the policy it could be grounds for termination. I developed all my policies for computer, internet and email use using some of the resources and downloads available on this site.

thanks for all the advice but the problem is they are laptops so are not always connected to the network meaning domain groups and rights need to work away from the office as well as in it i'm still stuck!

Have you tried to logon to the laptops as admin and set the user rights at the pc level ? Rights don't have to be administerd across a domain. They can be restricted at the pc for the user and/or user groups. You can tighten them down pretty tight.