(1) First, load a workstation with the specific software you want him/her to run. Your list above is fine. You can do this manually, or via Group Policy Software Installation.
(2) To restrict a user to a specific computer, you need to be running NetBIOS. Then, in the user's Account tab, click the "Log on to" button and specify the computer you want to restrict the computer to.
(3) Users -- that is, non-administrators -- cannot go to Windows Update.
(4) To restrict users from all other Web sites, you'll need to get familiar with how to implement Internet Explorer Maintenance policies -- either via local GPOs or via Active Directory GPOs. The process is fairly detailed, but here are the steps in a nutshell: Configure a computer's IE settings to be as restrictive as you want, then use the Internet Explorer Maintenance Settings (specifically, those located in User Configuration | Windows Settings | Internet Explorer Maintenance | Security | Security Zones and Content Ratings) to import the current computer's settings. Then, the computers you apply the GPO to will embrace the same settings.
In short, you may be new to Group Policy, but you'll have to get familiar with it to do lots of tasks -- so, better get started in your knowledge!!
This was first published in February 2004