Disabling Creation of Shortcuts (#2)

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

I've read the other thread on how to disable shortcut creation, however this
doesn't help me at all.

We are using GPO's and no settings actually exist to explicitly DISALLOW
creation of shortcuts - We can stop them if we disable the file menu in
explorer but this then disables the file menu in IE too.

Is there a way, using GPOs/ADMs or even keys in the registry that can be
utilised to prevent shortcut creation?

Failing that, can we prevent shortcuts pointing to network resources as I
work in a school and several students have realised they can get to network
shares providing they know the name. The network has no browser services
anywhere (now) but a few clever kids got names of a few servers and shares.
Shares such as NETLOGON can't be disallowed as it's required at login time -
yet we want to stop them using explorer to get to these shares directly.

The kids are locked down as much as possible without making the computers
next to useless for them. They have no run, no command prompt, no registry
editing tools etc.. Yet they can still create shortcuts and point them to
servers? What about UNC path browsing? Can that be stopped as well? You could
argue that simply letting them create shortcuts isn't a problem or letting
them browse the network isn't a problem as there's no browser service. This
isn't the way I see it, I'd rather not leave them ANY avenues where they
could potentially compromise anything, even by knowing a server name, they
could download tools on the net (our internet is filtered by the upstream but
that's not fool-proof) and use it to DoS the server in question or attempt to
hack it directly from inside.

We will be moving from Linux and Samba 3.0.10 to Windows 2003 Server + AD in
4-5 months, so anything suggested should work primarily for AD, rather than
Linux.

Any hints/tricks/tips/suggestions of ANY kind are welcome as I'm desperate
for some ideas - I've even looked under CLASSES_ROOT in the registry to see
if I can disable it there, while I'm sure I can disable it there, I'm sure
I'd cause some huge breakage if I just wipe the keys out or give them wrong
values.