Put users in the local Users group, not Power Users or Administrators. That'll take care of the first problem, preventing users from writing to files in the Windows folder. Then, use Security Templates to change permissions on specific files, folders and registry keys, opening up holes just big enough for their legacy applications to work properly. See the help in Windows Server for more information about using them, or you can search Microsoft's Web site for numerous white papers about security templates.
Related Q&A from Jerry Honeycutt
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.