To lock them from installing sw, I've heard of people limiting access to common installers. I've tried this with varying success by manually limiting user access to the windows installer, although I believe there is a way to change where windows looks for the installer, so it can be bypassed via registry, so I lock it down so they can't access or have rights to that.
Settings lockdown, I usually just lock them out of control panel, display properties, IE options, firefox settings (via an addon), setting the wallpaper, disable command prompt and the "run..." option, and a few other things. I do it all through the registry with a script, but it can be modified within group policy editor.