Group Policy and Laptops
Something that is not always understood about Group Policy is this. Say a user has a laptop and uses it to connect remotely to the corporate LAN. Depending on how the remote connection is configured, Group Policy usually is processed to lock down and secure certain functionality on the machine.
Now the user logs off and disconnects from the corporate network and uses the machine as a standalone computer using their locally cached user profile. Are the Group Policy settings that were previously applied still in force? Yes, and they will continue to be enforced until the user connects to the network again and logs on and policy is refreshed.
Of course, if the laptop user has local Administrator privileges on thier machine, they can log on using the Administrator account and overwrite any registry-based settings that were configured by Group Policy. So the moral is, don't give users Administrator privileges without some absolutely compelling reason to do so!