When doing an audit of our network last night, I found some stuff in all users startup on some computers that shouldn't have been there and realised that one of our group policies is giving all client computers (windows XP and windows 7) what amounts to full read/write/modify/execute NTFS permissions for "everyone" on all local drives. While the C: drive is hidden via GPO, this obviously is merely obscurity.

How does everyone else set their permissions for local drives? I was wondering what settings others had in this GPO so I have something to refer to when changing these? I want to lock it down as far as possible without breaking anything (I know that the permissions required will vary slightly from network to network, but I'm looking for something to start off with).