[robg notes: The following hint was submitted by an anonymous tipster, who was somewhat uncertain if I should run it or not, as it does "reveal" a "security exploit" in OS X 10.3 However, I think it's fine to run, for a couple reasons. First, the "exploit" is not really an exploit, and I believe Apple is well aware of it already (see the Note below). Also, the hint includes two easy workarounds that solve the problem. So with that explanation, here's the "exploit" and fix. The language below is mine, but the fix in the second part is thanks to the anonymous tipster...]
OS X 10.3 includes a security restriction known as "Simple Finder" (on the Limitations tab of the Accounts system preferences panel). In theory, this allows you to quickly restrict which apps a 'simplified user' can use. However, there's a very simple method through which these simplified users can open any application, including ones that aren't "allowed" under the Simplified Finder tab.
In Simple Finder mode, the user sees a dock with a few folders in it, including a "My Applications" folder, which includes the applications selected in the Simple Finder tab for the user. But running any application is amazingly simple. Just click the My Applications folder in the dock, and (as expected), the folder opens in the Finder. Now use the Finder's built-in Command-Up Arrow shortcut (Go -> Enclosing Folder), and you'll start to move up through the folders. Do this enough times, and you'll be able to open /Applications, from where you can run everything -- you still won't be able to do things that an admin could do, of course, but you can launch every application and/or utility on the system. So it's not an exploit that grants a higher user-level to a restricted user, but it does let them do things that you may think they cannot.
Note: Exploit is in quotes above because Apple's language on the "Simple Finder" tab is ambiguous. They state that 'The Simple Finder has a simplified Dock and allows the user to directly use only those applications showing in the "My Applications" folder in the Dock.' I added the emphasis, as the phrase 'directly use' implies, to me anyway, that Apple is aware there are fairly easy workarounds that allow all applications to be run. On the other hand, a KnowledgeBase article describes the feature this way: "Simple Finder makes your computer more secure because it restricts the access people have to your disks and applications." So it's ambiguous :).
If you want to truly restrict the simplified users on your machine(s), read the rest of the hint for two (relatively easy) solutions...
The wording noted above on the Simple Finder tab may lead one to believe that the chosen user will be prevented from using applications that aren't selected in the panel. However, the setting only specifies which applications appear in the "My Applications" folder, and does not place any limitations on which applications may actually be launched by a "Simplified" user. In contrast, the description under "Some Limits" explicitly states that the "user can only use (the selected) applications," and in fact, any attempt to launch a disallowed application in a "Limited" account results in an error message.
So the simplest fix is to just switch the user to Some Limits mode, and specify which programs they can use. However, when you do this, you lose the "simple finder" interface, as the Some Limits accounts get a normal OS X Finder. So what if you want the Simple Finder interface with hard restrictions on which applications the user can run?
To restrict a "Simplified" user to just a few selected applications, follow the general procedure for modifying mcx_settings (explanations can be found in this hint and in this KnowledgeBase article) and rename the key called ItemList to AccessList. It appears under com.apple.applicationaccess and Forced. I think this is easier than adding the key to a "Limited Account." As usual, be aware that making an error in NetInfo Manager can have serious consequences.
As long as you are editing the mcx_settings, there are some other interesting keys that are available for modification to ease some of the restrictions on Simple Finder users. Some of the keys can even be used without involving NetInfo at all, by changing the com.apple.xxx.plist file of the respective applications that they govern. For example, the size-immutable, contents-immutable and static-only keys can be applied to the Docks of non-Simple Finder users. In particular, the contents-immutable key can prevent accidental removal of dock items as well as the 'moving target' issue when dragging files to the trash, and can even be applied to an admin account. These keys take a boolean true or false as in:
defaults write com.apple.dock contents-immutable -bool true
If you actually like the no-desktop one-click Launcher style interface of Simple Finder, you can use:
defaults write com.apple.finder InterfaceLevel "simple"
Change the location where screen shots are saved:
defaults write com.apple.screencapture location 'Users/you/Path/to/Folder'
To see the changes, log out and back in. To reverse the changes, just use defaults delete with the appropriate key, and without a value.
Mac OS X Hints
http://hints.macworld.com/article.php?story=20040824235605425