LoL. Actually its kinda ironic that even if you set the policy in W2K to restrict the command prompt for a specific object, all this does is restrict its execution from a specific location, it does not actually restrict the execution of the command.com. A very easy way to test this is by using the following:
Create a text file on the desktop,
write "\%systemroot%\system32\command.com"
or if installed in default location, simply c:\winnt\system32\..
save the file as xxx.bat
run the file and LoL and behold, you have an unrestricted command prompt running even with all the GPOs prohibiting it...
Just as a note, this was really funny when discovered and shows yet again what a wonderfully secure system W2K is...
But to answer your question GDX, easiest way is to reset the permissions on the net.exe such that only Admins and System have any kind of permissions to it.
Hope this helps.