Back in 1997, I was working at LEGO doing a PC project based on Windows NT workstation. The goal was end-users without local administrative permissions. This made perfectly sense, as we came out of a OpenVMS environment where that was the norm.
Back then, we learned the hard way how difficult it was to do this and without regmon and filemon we never could have do it. Back then the problem was lack of documenation - today the problem is the waste amount of documentation - and when you finally hit the right spot you sometimes find that the detail you were looking for was left out of the documentation - or simply wrong.
Things have improved when it comes to using LUA but there are still a way to go before nirvana is reached.
Aaron Margosis created a series of articles on this - and the best is the prioritized approach he has taken - i.e. should I start tweaking the registry permissions first or should I copy parts of the class registry to HKCU? Read it all here and here.
Also read my LUA article about controlling permissions with Group Policy.