There are a couple of different ways of locking down the desktop on a windows operating systems but the one this guide will be focusing on it by way of permission passed enforcement via a GPO. With help from the image below, the following steps will help you achieve this lock down method:
1. Create a new GPO and link to an OU that the client computers are contain in
2. Edit the GPO and under Computer Configration > Windows Settings > Security Settings then File System, click right and select New
3. Within the file path enter %UserProfile%\Desktop this will automatically resolve the users profile name saving you from adding each users profile path manually.
4. Press OK and select remove all security groups and users from the permissions menu and add the user security group or names you want this restriction to apply to. Set the permissions for the group of user to only have Read access and also add an administrative group with full control.
5. Within the Security Policy Settings windows, select the option forReplace existing permissions on all subfolders then click OK. This is the policy now configured.
6. Return to the Group Policy Management Console and set the security settings of the policy to either Authenticated User for define the security group you want this policy to apply to.