It is easier with ad because you can lock out the individual pc and what the individual user has access to as far as programs go and have a storage location that would give them access to be able to read or read/write to. With everything self contained on a pc it is a bit hard to lock out the hard drive. You could still lock out the usbs and CD/DVD drive to prevent copy to, but it is a bit harder to lock out the rest of the computer as you need it to save to and you need storage locations.
We could even lock it down to the point that when you logon it runs a specific application and you have no access to the windows gui at all other than ctrl/alt/del menu for shutdown access and change password access. If the application needs access to see the folders on the c drive, denying access to the c drive in explorer would be useless.
How I would do it with AD GPO is give a specific user group that would need limited access a desktop and startup folder redirection to a read only folder with the icons I wanted them to access. I would also disallow access to the c drive in explorer, disable task manager, disable run, and disable the command prompt. I could put an icon that points to a script to shutdown the computer, or give the user ctrl alt del rights to shut down the computer.
If the computer only needed to access one specific program, say either microsoft terminal services client or the citrix ica client, I would change the shell=explorer.exe to shell=mstsc.exe or shell=ica32t.exe, which would bring up the application....if needed I created a script to call the executable after it was closed so that it would be in an endless loop if a user accidentally closed out of the application. the only way to shut down the computer in this case would be to ctrl alt del and shutdown the computer or hit the power button to shut down the computer.