Well with NT4 as server and NT/9x as clients you do as follows:
First create a user account as normally. Then create a new policy with the system policy manager (poledit.exe). From edit-menu select add user and browse the user for you want to create rules.
You should now see a head-icon with the username under it. You can configure the policy of that user by double-clicking the "head".
Select the box "System->Restrictions->Run only allowed windows applications" and make a list of the applications you want the user be able to run. I'd include at least explorer.exe ;-)
The ready policy, which can contain many individual settings for users and groups, should be saved as ntconfig.pol in the folder shared as netlogon (c:\winnt\system32\Repl\Import\Scripts). The file should be on every DC you have.
Whether this works same way or not with w2k i don't know, but tell me did it.
-tapio