I could be wrong on this, but I am not sure if that is possible. I know you can restrict certain "Windows" type Start Menu options, like My Documents, Favorites, etc.
If you want to remove icons like you list, that are pretty much dependant (sp?) on the items being installed, my best recommendation would be to creat a user profile template and push it out, or make it Mandatory Profiles. For those specific icons, I believe that is the only way. I did consult where it would be listed...
Under User Configuration, Administrative Templates, Start Menu and Task Bar, and I didn't see anything at quick glance. However, I am pretty tired
Did that make sense, do you understand how a Mandatory profile would allow you to do this?
Basically what you would have to do (and again I am just making sure you know, not trying to insult your intelligence incase you already do know) is login to any machine on the domain. Create a profile the way you want it, such as removing..
"I'm specifically interested in removing Outlook Express, Messenger, Movie Maker and Games"
Once you have done that, logoff from that user.
Next, log back into that SAME machine with a different user account than the one you just modified but make sure this account has administrative access. Login, navigate to the Documents and Settings folder of the user that you just modified, and ensure that you can view hidden files and folders. Rename "ntuser.dat", to "ntuser.man". This forces the profile to become mandatory, and can't be done while you are logged in with it. Next, go to Start-Control Panel-System (or right click on My Computer, select Properties), then click on the Advanced Tab. Under User Profiles, click Settings. Select, from the list, the profile you just setup the way you want it. Once you do that, click copy to. Copy this to your server. Make sure to use the FULL UNC path, not D:\profiles. This goes without saying if you are using a workstation, but I made this mistake before where I created the profiles on the server and didn't use the path at first, oops!
Also, ensure that you are sharing out the folder that stores the profiles, and that the Everyone Group has Read Permissions. Read is the default Permissions for the Everyone Group in Win2k3 Server, but it is good to verify.
Once the profile is copied, you can go to the server, Active Directory Users and Computers, select each user and specify their profile location under the profile tab. Let's take a step back for a moment...
Since it sounds like you want to force the same profile for everyone, I would suggest creating a structure like this...
this way you can keep the template for your mandatory profile in that folder, and gives you the option to later create %username% profiles in the \\SERVER01\profiles\ share if you see fit.
So you would go and select all users at the same time, (to save you a lot of time, depending on user count), click Action, Properties. The Profile tab is accessible through this method for multiple users. Under profile path, you would put \\SERVER01\profiles\mandatory
Now, what that does, is next time they login, that will point them to the mandatory profile that you have setup.
My mind is a little scattered today, but I believe that should do it. Please, anyone feel free to chime in, just incase there is something I missed, or if anyone else has a question.
Also, if you already knew this, I wasn't trying to imply that you didn't I just wanted to make sure you were satisfied with the solution I suggested.
You could do that as well, but IMO that might be flawed. My reason being he didn't say he wants to block access to the program, just remove the icon. And, if some creative person was really sneaky, they could rename the .exe and it would be able to run after some careful registry editing. Good info though!