1. use group policy (see below) or set security permission in the registry
(be careful)
2. use NTFS permission
3. use group policy
4. that depends on how you deal with the java
Under User Config\Administrative Templates\System\
Prevent access to the command prompt
"Prevents users from running the interactive command prompt, Cmd.exe. This
setting also determines whether batch files (.cmd and .bat) can run on the
computer. If you enable this setting and the user tries to open a command
window, the system displays a message explaining that a setting prevents the
action. Note: Do not prevent the computer from running batch files if the
computer uses logon, logoff, startup, or shutdown batch file scripts, or for
users that use Terminal Services."
Prevent access to registry editing tools
"Disables the Windows registry editor Regedit.exe. If this setting is
enabled and the user tries to start a registry editor, a message appears
explaining that a setting prevents the action. To prevent users from using
other administrative tools, use the Run only allowed Windows applications
setting."
Run only allowed Windows applications
"Limits the Windows programs that users have permission to run on the
computer. If you enable this setting, users can only run programs that you
add to the List of Allowed Applications. This setting only prevents users
from running programs that are started by the Windows Explorer process. It
does not prevent users from running programs such as Task Manager, which are
started by the system process or by other processes. Also, if users have
access to the command prompt, Cmd.exe, this setting does not prevent them
from starting programs in the command window that they are not permitted to
start by using Windows Explorer. Note: It is a requirement for third-party
applications with Windows 2000 or later certification to adhere to this
setting. Note: To create a list of allowed applications, click Show, click
Add, and then enter the application executable name (e.g., Winword.exe,
Poledit.exe, Powerpnt.exe)."
Don't run specified Windows applications
"Prevents Windows from running the programs you specify in this setting. If
you enable this setting, users cannot run programs that you add to the list
of disallowed applications. This setting only prevents users from running
programs that are started by the Windows Explorer process. It does not
prevent users from running programs, such as Task Manager, that are started
by the system process or by other processes. Also, if you permit users to
gain access to the command prompt, Cmd.exe, this setting does not prevent
them from starting programs in the command window that they are not permitted
to start by using Windows Explorer. Note: To create a list of disallowed
applications, click Show, click Add, and then enter the application
executable name (e.g., Winword.exe, Poledit.exe, Powerpnt.exe)."
BR,
Denis