Policy? Do you mean Group Policy objects (GPO)? Unless you intend to
have multiple users on the laptop or just want to "thinker" you don't
need to use GPO's. Otherwise, the information is in the link I provided
earlier, from that article:
Administrators are all-powerful. The default Windows 2000 security
settings do not restrict administrative access to any registry or file
system object. Administrators can perform any and all functions
supported by the operating system. Any right that the administrator does
not have by default, they can grant to themselves.
Ideally, administrative access to the system should only be needed to:
• Install the operating system and components (including drivers for
hardware, system services, and so forth).
• Install Service Packs and hotfixes.
• Install Windows updates.
• Upgrade the operating system
• Repair the operating system.
• Configure critical machine-wide operating system parameters, for
example, kernel mode driver configuration, password policy, access
control, and audit functions.
In practice, administrative accounts must often be used to install and
run legacy Windows-based applications.
and:
Power Users are ranked between Administrators and Users in terms of
system access. The default Windows 2000 security settings for Power
Users are backward-compatible with the default security settings for
Users in the Windows NT® 4.0 operating system. In short, Power Users are
indeed powerful.
Ideally, Power Users should be able to perform any task except for the
administrative tasks described above. Thus, Power Users should be able to:
• Install and remove applications per computer that do not install
system services.
• Customize system-wide resources (for example, System Time, Display
Settings, Shares, Power Configuration, Printers, and so forth).
In practice, Power Users cannot install many legacy applications,
because these applications attempt to replace operating system files
during the setup process.
If you are concerned about ActiveX controls and security there is one
program that you should just avoid using and most of your ActiveX
security concerns will be taken care of.
John