Difficult. The user needs somewhere on the HDD to write temporary files - typically c:\temp or c:\documents and setting\\...\temp or both. The user must have Change permissions to this area. Further, users must have rights to create or modify their own profile if you're using individual usernames.
It gets worse if the machine isn't on a network and you're not using mandatory profiles.
You'll need to clear down any common temporary areas between users - have a cleardown script as part of the login script or in the Startup folder (better is in the registry).
Go to MS's website and grab their documents on security, policies, profiles, and group policy objects.
It'll be an interesting exercise.
