The point is to prevent running programs from where has write access and allow launch where it is impossible to record.
1. To create a user in the Users group.
2. Further, the control Panel → administrative tools → software restriction Policies using programs → Additional rules. Add rules with the ban on drives C: and D: (if any), allow the Program Files, Windows, system32. Also you can prevent and stick.
3. For convenience, to be able to run programs on the labels of Designated file types (located in the Policies limited the use of programs) to remove the labels. There you can remove files from the forbidden fide help, etc.
Install all the software you need to create policies. Tested on XP, on Seven don't know how it will work. With some problems may occur.