If you are using Windows 2000/2003 group policies then you can add the user Power Users group via Group Policies. That can be found in:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups
Go there and add Power Users, then place the users or the group of users in there as members. Now by doing it, it will explicitly set it. Meaning that if there are any other users or groups manual set on any machine it will override them. I think if you put the users in as "Members Of" it will merger - but I am not 100%.
The way we do it is via Computer Configuration\Windows Settings\Security Settings\File System
This allows us to give users only access to folders that specific apps need.
There is a little quark that we figured out with it. When you go to add a new file or folder and you simply type in: c:\Program Files\Application Dir
it will typically work. We had an issue in a couple places. So what we do now is from the machine you are editing the group policies from:
-in Windows Explorer go to c:\Program Files
-create a new folder with the same name that they need access to. (Ex: c:\Program Files\Mozilla Firefox)
-it DOES NOT MATTER if the application is even installed locally just create the c:\program files\app dir
-now in the in File System policy add a new directory and point it to your c:\Program Files\Mozilla Firefox directory.
-When you click OK it will prompt you will File/Folder security settings
-now the dir should be shown in the policy as: %ProgramFiles%\Mozilla Firefox
-by doing it this way it ensures that it uses the %programfiles% variable. If you were to just type in %programfiles% it would just resolve as c:\Program Files on your local machine.
It is an extra step but it works every time.
-Matt