Editing local GPOs on 2100 computers is going to be heartbreaking. If locking down desktops is a high priority now, then I'd deploy the policy settings via login scripts and then do a proper policy implementation when you have Active Directory. The problem with login scripts is that users must be administrators in order to apply those policies. That's where tools such as Profile Maker from AutoProf come in handy. It's a relatively inexpensive tool that can read ADM (Application Data Management) files and deploy those settings via login scripts without requiring you to add users to the local administrators group. The tool is also exceptionally easy to use. I'd use something similar until you have a proper Active Directory implementation.
This was first published in February 2003