Your best free tool for limiting what others can do on your PC is the System Policy Editor. To protect a single system, start by setting up multiple profiles, as if you were going to let other users work on the machine, each with a unique batch of settings.
In Windows 95, double-click the Passwords icon in Control Panel and click the User Profiles tab. Select the second option (it starts with users can customise their preferences), then any other options as desired. Follow the prompts to restart the computer. When prompted, type in a name and password, followed by a confirmation of the password. Windows will ask if you want to set up a new profile for this identity. Click Yes. In Windows 98, things are simpler: In Control Panel, double-click the Users icon and follow the on-screen directions in the Enable Multi-user Settings wizard to create a new profile.
Once you've created a profile for yourself, you're ready to use System Policy Editor to restrict the access of those who don't know your password. (If you haven't installed this tool, search for the poledit folder on your Windows CD-ROM in \tools\reskit\netadmin, or download it from www.microsoft.com/windows95/downloads.) Since you'll be using it to modify the Windows Registry, back up user.dat and system.dat and any .pwl files -preferably to removable media that you can keep in a secure place - before you go any further.
Now restart your computer. At the password prompt, click Cancel. Since this is your intended configuration for unauthorised users, set restrictions in this environment. Customise the taskbar and Start menu, removing any items you don't want others to use. Then select Start-Run, type poledit, and click OK. Choose File-Open Registry. Double-click the Local User icon. Navigate through the tree diagram and use the various check boxes to apply restrictions that will prevent damage to your system.
To make such a trap door, go to the Local User\System\Restrictions branch (Win 95) or the Local User\Windows 98 System\Restrictions branch (Win 98). Check Only run allowed Windows applications, click the Show button below this entry, click the Add button in the Show Contents dialogue box, type poledit.exe, and click OK twice. Leave yourself a way to run this application (by not disabling the Run box, for instance, or by moving poledit.exe to an obscure folder that's still accessible from Windows). When you're finished, click OK, then choose File-Save and File-Exit. Now, any time intruders click Cancel at the password prompt (Win 9x) or type a new name and password to create a new profile (Win 95), they'll get an extremely limited version of Windows. Though far from infallible, this approach will make intruding as difficult as possible for any snoop who wants to try.