will your users be using roaming profiles? if so you can create a user and setup the desktop exactly the way that you want it. Then copy that user’s profile to a share on the network and make it read-only. Then point each user’s account to that profile for their roaming profile. they will be able to move and change things but when they logon again it will be right back the way it started.
If the users are not added to any local or domain administrator groups then they will not be able to add or remove any programs by default. there is the problem of portable apps though. These are apps that don’t have an install. They just run from the directory that they are in. To stop users from running that you would need to look deeper into software restriction policies and application whitelisting so that they will not be able to run anything except the applications that you approve.
If you run into poorly written apps that require admin rights to run the app then use a program called regmon. Start this program and then open the program that requires admin access. The regmon program will show you exactly which registry settings this program is accessing. Then you can give that user group access to those specific registry keys so they will not require admin access to do it. You will also need a program called filemon. This program will allow you to see what files the program accesses during operation so that you can give the user group proper access to those as well.
when you create the profile, after you are done, change the profile to a mandatory profile by renaming the profile. Instead of ntuser.dat, you will have ntuser.man. Mandatory profiles allow session changes but nothing is saved after the user logs off.
MMC is available simply by typing mmc at the run line. Click file|add/remove snapin to build consoles, save when done.