Answer: by denying them the read-right:
Making Different Settings for Different Users
Centrally managed Group Policy settings—that is, those that are stored in Active Directory in Windows .NET Server or Windows 2000 Server—can be applied to individual users, computers, or groups of either. You can have multiple sets of Active Directory–based Group Policy objects, allowing you to create an entirely different collection of settings for different users or computers.
Such is not the case with local Group Policy. Local Group Policy settings apply to all users who log on to the computer. (If the computer is joined to a domain, however, the local settings might be overridden by Active Directory–based settings. For details, see "How Local Group Policy Settings Interact with Active Directory–Based Group Policy Settings.") You can’t have multiple sets of local Group Policy objects.
Although you can’t have customized settings for each of several different groups, you can effectively have two groups of users: those who are affected by local Group Policy settings and those who are not. This duality affects only the User Configuration settings; Computer Configuration settings are applied before anyone logs on.
You can do this because local Group Policy depends on users having Read access to the local Group Policy object, which is stored in the %SystemRoot%\System32\ GroupPolicy folder. Policies are not applied to users who do not have Read access; therefore, by denying Read access to administrators or others whom you don’t want to restrict, you free those users from control by group policies. To use this method, follow these steps:
Make the Group Policy setting changes that you want.
In Windows Explorer, right-click the %SystemRoot%\System32\GroupPolicy folder and choose Properties. (GroupPolicy is a hidden folder; if you can’t find it in System32, choose Tools, Folder Options, View, Show Hidden Files And Folders.)
On the Security tab of the GroupPolicy Properties dialog box, select the Administrators group and select the Deny check box for the Read permission. (If you want to exclude any other users or groups from Group Policy control, add them to the Group Or User Names list and then deny their Read permission.)
note
--------------------------------------------------------------------------------
You must deny the Read permission rather than simply clear the Allow check box. Otherwise, all users would continue to inherit Read permission because of their automatic membership in the Authenticated Users group.
At your next logon using one of the Read-disabled user accounts, you’ll find that you’re no longer encumbered by Group Policy settings. Without Read permission, however, you’ll find that you’re also unable to run Group Policy—so you can’t view or modify Group Policy settings. To regain that power, you need to revisit the Group Policy Properties dialog box and grant yourself Full Control permission.
Keep in mind that, even without the aforementioned security shenanigans, the default security settings effectively produce two groups of users. Although the local Group Policy settings apply to all users (clarification: all users who have Read access to the local Group Policy object), only members of the local Administrators group can view or change these settings.
If customizing the effects of Group Policy settings based on group membership is important to you, you should install Windows .NET Server or Windows 2000 Server and set up Active Directory. But the methods described in this section can provide an easy compromise solution.
[From: Windows XP Inside Out]
