Microsoft Knowledge Base Article 320181 contains the following summary:
This article describes how to use the Windows 2000 Terminal Services Application Security tool.
If you are an administrator, you can use this tool to limit user access to a specific list of programs.
The Application Security tool is included as-is in the Windows 2000 Resource Kit.
Because it may be difficult to configure a server that is running Terminal Services correctly, you must build your Terminal server in a test environment. Also, you may have to implement policy settings that restrict the functionality of Microsoft Windows Explorer and Microsoft Internet Explorer to help you meet design goals.
You can use the appsec command to start Application Security. You can use Application Security to specify exactly which programs the client computers can run. Application Security works in a similar way to system policy settings that allow users to run only specific programs. However, a system policy setting does not prevent users from running a program from the command prompt. If you use Application Security, you can prevent users from running a program from a command prompt.
You can use Application Security to control the executables files that a user can open. Some programs may use dozens of separate executable files; you must specify all of these files if you use Application Security. You may want to use Application Security if you want the clients to run only a few programs. However, if the clients are running more than a few programs, you may find it easier to use policies and profiles or NTFS file system file and folder permissions to restrict users from using certain programs on a Terminal server. You can use Application Security in conjunction with Group Policy restrictions to both turn off and hide restricted programs.
Administrators typically use Application Security to restrict access to users when they use Terminal Services in Application Server mode. Application Security allows important tools to be either available on the computer or accessible on the network for administrators, but it restricts the actual programs that a user can run. If you use Application Security, administrators can always run any executable file, but other users can only run programs that are listed in the Authorized Applications list.
You may also want to use Application Security in Windows 2000 to deploy a Terminal server that is used by Internet users. If Internet Connector licensing is turned on, all Terminal Services client logons are to the same user, TsInternetUser. You can use Application Security to configure the server so that the users who are connecting from the Internet can run only the programs that are listed in the Authorized Applications list.