Put users in the local Users group, not Power Users or Administrators. That'll take care of the first problem, preventing users from writing to files in the Windows folder. Then, use Security Templates to change permissions on specific files, folders and registry keys, opening up holes just big enough for their legacy applications to work properly. See the help in Windows Server for more information about using them, or you can search Microsoft's Web site for numerous white papers about security templates.
This was first published in July 2003