[Computer Configuration\Administrative Templates\Windows Components\Terminal Services \Sessions]
• Set time limit for disconnected sessions
Recommended setting: Enabled – 2 Days
By default, Terminal Server allows users to disconnect from a session and keep all of their applications active for an unlimited amount of time. This policy specifies a time limit for disconnected Terminal Server sessions to remain active. Use this policy if you do not want disconnected sessions to remain active for a long time on the Terminal Server.

[Computer Configuration\Administrative Templates\Windows Components\Terminal Services \Clients]
• Do not allow passwords to be saved
Recommended setting: Enabled
This prevents users from having the Terminal Server client on their local machine store passwords.

[Computer Configuration\Administrative Templates\Windows Components\Windows Installer]
• Prohibit User Installs
Recommended setting: Enabled – Prohibit User Installs
If this setting is enabled and "Prohibit User Installs" is selected, the installer prevents applications from being installed per user, and it ignores previously installed per-user applications. An attempt to perform a per-user installation causes the installer to display an error message and stop the installation.

[Computer Configuration\Administrative Templates\Windows Components\Windows Movie Maker]
• Do not allow Windows Movie Maker to be run
Recommended setting: Enabled

[Computer Configuration\Administrative Templates\System\Group Policy]
• User Group Policy loopback processing mode
Recommended setting: Enabled - Replace
If the Terminal Server computer object is placed in the locked down OU, and the user account is not, loopback processing applies the restrictive user configuration policies to all users on the Terminal Server. If this policy is enabled, all users, including administrators, logging on to the Terminal Server are affected by the restrictive user configuration policies, regardless of where the user account is located. If this policy is disabled, and the Terminal Server computer object is placed in the locked down OU, only the computer configuration policies is applied to the Terminal Server. Each user account must be placed into the OU to have user configuration restriction placed on that user.

User Settings Rectrictions

[User Configuration\Administrative Templates\Windows Components\Internet Explorer]
• Search: Disable Find Files via F3 within the browser
Recommended setting: Enabled
This policy disables the use of the F3 key to search in Microsoft® Internet Explorer and Windows Explorer. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard disk (from Windows Explorer). If the user presses F3, a prompt appears that informs the user that this feature has been disabled. This policy can prevent a user form easily searching for applications on the hard disk. It is recommended that you enable this policy to prevent users from searching for applications on hard drive or browsing the Internet.

[User Configuration\Administrative Templates\Windows Components\Internet Explorer\Browser menus]
• Disable Context menu
Recommended setting: Enabled
This policy prevents the shortcut menu from appearing when users click the right mouse button while using the browser. It is recommended that you enable this policy to prevent users from using the shortcut menu as an alternate method of running commands.
• Hide Favorites menu
This policy prevents users from adding, removing, or editing the list of Favorite links. If you enable this policy, the Favorites menu is removed from the interface and the Favorites button on the browser toolbar appears dimmed. Use this policy if you want to remove the Favorites menu from Windows Explorer and do not want to give users easy access to Internet Explorer.

[User Configuration\Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management]
• Deny all add-ons unless specifically allowed in the allowed Add-on list
Recommended setting: Enabled
This policy prevents add-ons from being added to Internet Explorer.

[User Configuration\Administrative Templates\Windows Components\Application Compatibility]
• Prevent access to 16-bit applications
Recommended setting: Enabled
This policy prevents the MS DOS subsystem (ntvdm.exe) from running for the user. This setting affects the starting of all 16-bit applications in the operating system. By default, the MS DOS subsystem runs for all users. Many MS DOS applications are not Terminal Server friendly and can cause high CPU utilization due to constant polling of the keyboard. It is recommended that you enable this policy to prevent the 16-bit command interpreter, Command.com, from executing.

[User Configuration\Administrative Templates\Windows Components\Windows Explorer]
• Removes the Folder Options menu item from the Tools menu
Recommended setting: Enabled
Removes the Folder Options item from all Windows Explorer menus and removes the Folder Options item from Control Panel. As a result, users cannot use the Folder Options dialog box. It is recommended that you enable this policy to prevent users from configuring many properties of Windows Explorer, such as Active Desktop, Web view, Offline Files, hidden system files, and file types.

• Remove File menu from Windows Explorer
Recommended setting: Enabled
This policy removes the File menu from My Computer and Windows Explorer. It does not prevent users from using other methods to perform tasks available on the File menu. It is recommended that you enable this policy to remove easy access to tasks such as “New,” “Open With,” and shell extensions for some applications. Enabling this policy also prevents easy creation of shortcuts to executables.

• Remove Map Network Drive and Disconnect Network Drive
Recommended setting: Enabled
This policy prevents users from connecting and disconnect to shares with Windows Explorer. It does not prevent mapping and disconnecting drives from other applications or the run command. It is recommended that you enable this policy to remove easy access to browsing the domain from Windows Explorer. If mapped drives are necessary, they can be mapped from a logon script.