Absolutely, but only if your users are not in the local Administrators
group. If they're there, you can still try to stop them, but
Administrators can always undo anything you can do.
To do this, you can launch MMC.EXE and add/remove snap in, add
security templates and security configuration MMCs, create a template
that disables services [note that by default you only see services
that are installed on the workstation you're on, but you can add other
services by editing the template file manually], save the template,
use the security config MMC to create a new database and import the
template to it, close the MMC, copy the database from the
windowsroot\security\database\ folder, then use the secedit /configure
/verbose /db "x:\foldername\databasename.sdb" command to import the
database. This last step of applying the group policy template
probably requires local Admin privileges to run, so you could
alternatively import the template into AD group policy and apply it
that way, if you have AD, or you could set up a Task Scheduler job and
enter the ID and password of an Administrator-equivalent account to
run a script to apply the GP.
A few hitches: when creating the group policy template using the MMC
GUI, you only see the services installed on the machine you're working
on [although you could edit an .INF template file manually in Notepad
if you know the name of the service if you wish]. Second, AFAIK, in
order to be able to change permissions via GP, you will have to
specify that the service is set to startup: "Automatic," so that
unless you take special action, everyone getting this GP policy gets
the service re-set to start Automatically. Third, I believe your
permissions that you apply will always overwrite and remove the
permissions that are currently on the service. This might not be a
problem for you here, but I mention it just in case. It can
definitely make things tricky if you are trying to use GP to modify
the permissions on, say, the root of the C: drive.
