Networks

Hi!!! I would like my users not to have any access to all drives except two network drives (p: and s:).I have enabled "Deny access from my computer" and "Hide drives" for all drives except p and s (i have altered the system.adm file). I have also enforced a software restriction policy for all the default designated file types to all drives except p and s.Please note that users connect to a fat server through their thin clients using remote desktop connection.Being so, the drives i have banned are the physical drives of the server.Despite those restrictions if a user creates a shortcut on his desktop with a path like "e:\1.txt" or e:\folder\1.txt" he is able to run the .txt file (e: is the usb flash disk that the user can plug to the server since he has physical access to it-unfortunately).Is there a per user setting that i can implement so that the users can not acces at all (not even through shortcut) the requested drives? Can i -through software restriction policy- add a wildcard (*) or something in order for the users not to be able to run any type of files?
I don't want to disable the usb,cd-rom,floppy drives or disable the right click of the mouse because i want the users to be able to create shortcuts.PLEASE HELP!!!