[User Configuration\Administrative Templates\Control Panel\Add or Remove Programs]
• Remove Add or Remove Programs
Recommended setting: Enabled
This policy removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. If access to Control Panel is prohibited, this policy can be used to remove the links to Add or Remove Programs from places like My Computer. The link then displays an access denied message if clicked. This setting does not prevent users from using other tools and methods to install or uninstall programs. It is recommended that you enable this policy to prevent users to viewing Terminal Server configuration information.

[User Configuration\Administrative Templates\Control Panel\Printers]
• Prevent deletion of printers
Recommended setting: Enabled
This policy prevents users from using familiar methods to add local and network printers. It is recommended that you enable this policy to prevent users from browsing the network or searching the active directory for printers. This policy does not prevent the auto-creation of Terminal Server redirected printers, nor does it prevent users from running other programs to add printers.

[User Configuration\Administrative Templates\Control Panel\Display]
• Remove Display in Control Panel
Recommended setting: Enabled
This policy prevents users from seeing the Display settings icon in the control panel.

[User Configuration\Administrative Templates\Control Panel\Display\Desktop Themes]
• Remove Theme Option
Recommended setting: Enabled
This policy prevents users from accessing desktop themes.

[User Configuration\Administrative Templates\System]
• Prevent access to the command prompt
Recommended setting: Enabled – Set “Disable the command prompt script processing also” to No.
This policy prevents users from running the interactive command prompt Cmd.exe. From the command prompt users can start applications. This setting also determines whether batch files (.cmd and .bat) can run on the computer.
It is recommended that you enable the “Prevent access to the command prompt” policy to prevent users from bypassing other policies by using the command prompt instead of Windows Explorer as the shell.

• Prevent access to registry editing tools
Recommended setting: Enabled –Prevent regedit from running silently? Yes
This policy restricts users from changing registry settings by disabling Regedit.exe. It is recommended that you enable this policy to prevent users from changing their shell to the command prompt or bypassing several other policies. This policy does not prevent other applications for editing the registry.

• Run only allowed Windows applications
Recommended setting: Enabled – Define list of authorized applications
It is recommended that you enable this policy to restrict users to only run programs that are added to the List of Allowed Applications. This setting only prevents users from running programs that are started by Windows Explorer. It does not prevent users from running programs such as Task Manager, which can be started by a system process. Also, if users have access to the command prompt, Cmd.exe, this setting does not prevent them from starting programs from the command window that they are not permitted to start by using Windows Explorer.

[User Configuration\Administrative Templates\System\CTRL+ALT+DEL Options]
• Remove Task Manager
Recommended setting: Enabled
This policy prevents users from starting Task Manager. It is recommended that you enable this policy to prevent users from using task manager to start and stop programs; monitor the performance of the Terminal Server; and find the executable names for applications.

• Remove Lock Computer
Recommended setting: Enabled
This policy prevents users from locking their sessions. Users can still disconnect and log off. While locked, the desktop can not be used. Only the user who locked the system or the system administrator can unlock it.

[User Configuration\Administrative Templates\System\Scripts]
• Run legacy logon scripts hidden
Recommended setting: Enabled
This policy hides the instructions in logon scripts written for Windows NT 4.0 and earlier. It is recommended that you enable this policy to prevent users from viewing or interrupting logon scripts written for Windows NT 4.0 and earlier.

Remote Connectivity

Log onto the firewall and change the ruleset so that external connectivity to the Terminal Server is possible. You will need to forward ports 80 and 3389 to your Terminal Server. This should allow for people trying to simply use the web client to access the server and users utilizing Remote Desktop. Make sure you are allowing outbound traffic on ports 80 and 3389 as well from the Terminal Server.

Add a disclaimer page to the default web site on the terminal server which has a link that takes the user to the tsweb site. As for connection security, there is a FAQ entry here that notes all connections to TS use 128-bit security for clients that support it. I would still suggest using a VPN, but if it's not feasible for you then the Remote Desktop Connector will provide encryption. The entry is quoted below:

• Is it safe to allow employees to connect directly (over the Internet) to Windows Terminal Services, without using a VPN? Yes. By default, connections to terminal servers are secured by 128-bit, bi-directional RC4 encryption—when used with a client that supports 128-bit. (RDC is 128-bit by default). It is possible to connect with older clients using encryption lower than 128-bit, unless it’s specified that only high-encryption clients are allowed. An additional encryption level, labeled “FIPS Compliant” has been added to Terminal Server in Windows Server 2003. This level of security encrypts data sent from the client to the server, and from the server to the client, with the Federal Information Processing Standard (FIPS) encryption algorithms using Microsoft cryptographic modules. This new level of encryption is designed to provide compliance for organizations that require systems to be compliant with FIPS 140-1 (1994) and FIPS 140-2 (2001) standards for Security Requirements for Cryptographic Modules.