are you sure his account is a user and not a power user? There is a huge difference in access rights, so you might want to check. Even if you don't have the Policies that Pro does, you can still apply registy based policies, poledit.exe from NT4 days, that will work. Also, doing things like disabling Registry access will help. You just need to leave a back door for your self. ie, only apply the setting to the accounts you want to do it to. meaning you need to load their registry profile and change it there. Also, by removing things like cscript.exe and wscript.exe from the system, you will be a little safer.
Good luck.