Locking down security.config

We (IT) have placed the .Net 1.1 Framework onto our 600 Windows 2000 client machines . We have locked down the clients so that they cannot change the Runtime Security Policy by going to Control Panel->Administrative Tools->Microsoft .NET Framework 1.1 Configuration. However we have just noticed that a User could change for example the Machine Security policy by editing file c:\WINNT\Microsoft.NET\Framework\v1.1.4322\config\security.config which by default allows Everyone Write access. This potentially allows any User to allow code from any location they choose to run on their machine, overriding our settings. To fix this we were planning to make all files under the c:\WINNT\Microsoft.NET\Framework\v1.1.4322 folder Read only for Everyone. Is this a good solution ? or is there a better way of doing it Thanks John