Policies will be uploaded when they are finished without error.
You see SYSTEM without remote access in management console components defaults.
You give Everyone full permission and every other group/user combined that are not Everyone, Authenticated, Local user and administrators groups, INTERACTIVE, CONSOLE LOGON in a group with major NT SERVICES - separately with NETWORK, SERVICE, SYSTEM including NETWORK SERVICE, LOCAL SERVICE in registry without inheriting to control set services. User Rights Assignments in group policy needs administrators, users, NETWORK, SERVICE, SYSTEM including NETWORK SERVICE, LOCAL SERVICE in every descriptor too.
Classes, Windows runtime, HKEY_USERS user identificator entries can only be read by group/user combined and users can only read it too. Same for WMI root in management console and components management console where they are given that group/user combination and users themselves only local access as for components and only enabled account in WMI root as the entry is being added. Where in defaults of components IUSR, ANONYMOUS, power users, guests are blocked and in limits only power users, guests are blocked.
Permissions are done without overriding as parent.
The servers software file system maps, high-end security software maps or internet demanding file system maps like steam for gaming are given the read only access as for users themselves and the group/user combination in users management console that you made is given the same read only by any chance removing authenticated users, and giving your own single user account profile read and execute permission.
SNORT automatic service with community rules, COMODO OPENEDR, BESTCRYPT data shelter whole drive with default policy and DISKDRILL licensed with BEETHINK DDOS protection.
To wrap it up you deny logon locally in User Rights Assignments to the group/user combination that you made and all other deny entries like deny logon as a batch job or deny remote desktop have guests group blocked. Don't forget to create a group within itself for your single user account profile itself it will add up automatically to your user profile.
Use encrypted containers or encrypted virtual hard drives instead of disk encryptions for any work since internet.
The end. Enjoy.