We're migrating ours DC to 2008 and updating/cleaning up our GPO's,and a debate has emerged, regarding blocking or not user access to certain parts of windows, like control panel.
In our current config, many things are blocked, like internet options, folder options, control panel, etc. This takes some helpdesk time, like, when someone wants to view file extensions.
All of our corporate users are limited users, so they can't break anything of their systems.
So, my position is, "block only the things you need to block" ,like, corporate wallpaper or browser homepage, and leave as default the other things (control panel, etc).
because users don't have rights to modify system things, any harm can be done if they can see it. And sometimes it's helpful for helpdesk be able to take a look of the current config from user account.
Other people of our...