Working on windows machines is not a choice activity of mine, but if it helps keep my father in business, then so be it. A lot of what I've learned I've picked up from Chris Clausen, an admin for ACM@UIUC.
Some of the techniques listed here will also work for the DOS-kernel Windows versions, but I wouldn't recommend it. NT is a lot more solid. My favorite version of Windows (that's not saying very much) is NT5, known also as Windows 2000. NT4 is old and doesn't have a lot of the security features of NT5 and newer, and I find the newer versions very annoying. I don't need help clearing my desktop of unused icons.
Windows has many fundamental shortcomings, but the major ones you must address, particularly in an environment where non-tech people will be using the machine, are the following:
runas (and even then, this is a horrible hack since there's no way to restrict the credentials to just one application).After you install the OS, run the latest service pack installer; reboot; run windows update and update until you've got everything. Then you can start worrying about apps. You should create a local administrator account (I call mine "install") for this purpose. This way, if something totally hoses this account, you can just delete it, recreate it, and be on your way. You do NOT want to hose the "Administrator" account; doing so will almost certainly require a reinstall.
There are probably certain settings you want, such as explorer view settings and so forth. Go ahead and set these in the install account. I usually set the GUI stuff for "best performance" on Windows xp and later; doesn't matter much on 2000. I also get rid of all the extra data entry junk (voice recognition and so forth).
Unfortunately, removing IE is a bad idea (TM) in most cases, though I tend to remove all the shortcuts to it.
See Mr. Clausen's Windows xp build and Windows 2003 Build on the ACM@UIUC wiki. Make sure you enable auto update; I also tend to play with the group policy a bit. I usually set it so that users must use Ctrl-Alt-Del at login (though that particular key combination was a poor design choice IMHO) and not to display the last user name. This is also a good time to force NTLMv2, get rid of all the junk in the system tray, and so forth.
There are a couple approaches to this:
Option 1 is relatively straightforward; the downside is that you have to give the user admin credentials in some form (usually this means giving them an admin password). Option 2 is "the right way", but getting it to work can be a real pain.
Implementing option 1 is trivial: create an account, install the app, and use runas.
Option 2 is much harder to implement, but for many common apps the work may already be done for you. Usually the issue is that the app's installer did not correctly set permissions for non-administrators.
Googling for "WTS <appname>" may reveal that someone has already figured out how to fix the given application (entities that run Terminal Services often need this). "WTS" stands for "Windows Terminal Services".
If you don't find a solution, you can sit down with file and registry monitors and attempt to fix permissions. I don't have the patience to get this method to work; the fix for Palm Desktop below has some attached explanations for alternative means of fixing permissions.
You should NEVER use an administrative account for day to day use. There's simply too much potential for damage from spyware, viruses, and the like. As soon as you have a working system create and use a normal user account. If necessary use runas to run the occasional administrative tool or finicky application.