I have had the same issues in my shop. Windows XP doesn't have a Power User group as NT did. Power user group kept people from being able to install anything they wanted.
Due to several legacy systems or programs I have on the network, I have to give people admin rights. I run Novell in my office. How I shut people out of doing things is with the user policy. The true admin policy in my container is for me only and this gives me full control to the pc. All others I make a policy that I may call Power User XP group. The users associated to that group get admin rights from this policy, but in that policy I drill down what I don't want them to do. The Power user group policy I have prevents users from having the ability to run regedit. I also locked down in the policy so people can't go in and change their resolution on their computer ( so many people mess with that and screw up the settings and they can't see anything after a reboot). When you go into control panel, they don't see the tab that includes resolution. There are other things policies will prevent users from doing. The choices are endless.
Still my big thing is this doesn't keep people from installing software on their machines. You can only drill down so tightly with policies. If too tight, the legacy programs you want them to use won't work.
My company has a written policy about installing software on corporate equipment. My rule of thumb with the people I support is if you install a non-corporate software on your computer that messes it up, that pc will be reimaged so it is back to the corporate standards. If I can't save everything they had on the machine prior to me reimageing the workstation, this is a problem they made themselves because the policy has been addressed with them prior to installing the software.
