There are a few ways about doing this. First way would be a GPO assigned to your domain users. The second way would be to redirect the users desktop to a network location where they only have read access. The 3rd way would be to create a manditory profile which will still allow the user to save files to the desktop, but once they have logged out all changes made will be reset to the defaults.
Take a look at this social tech net for references and steps to create a GPO to block desktop restriction.
http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/042a06f5-bf36-48ae-b982-77cd75f56cabHope this helps.