First, create the GPO and apply it to the OU to restrict the Control Panel. The policy setting you're after is User Configuration | Administrative Templates | Control Panel then enable the "Prohibit access to the Control Panel." Then, use "Security Filtering" upon the GPO you create. At this point, you have two options: you can add all the user accounts you want to get the GPO to a Windows security group, and ensure they get the "Read" and "Apply Group Policy" permissions upon the GPO. Or, you can add all the user accounts you DON'T want to get the GPO and DENY them the ability to "Apply Group Policy" permission.
Note: If you have my Windows 2000: Group Policy, Profiles and IntellMirror text, you can see how to do this on Page 48-50.
This was first published in November 2003