The following requirements had to be met:
The user should not be able to open an interactive shell (Terminal), or run arbitrary commands,
The user should not have a view to the filesystem, so no filemanager,
The user should not be able to modify or create files directly by means provided by KDE (no editor, menuedit, etc.).
Note that these are not requirements for the applications that run under KDE. Every application should make sure by itself, that these requirements are met. It is known, that of course many applications have an Open File Dialog, and thus could modify Files under .kde and so make it possible to run arbitrary commands.
The restrictions should only apply when an environment variable KDE_MODE is set to ``restricted''. If it is not set, a normal KDE Desktop should open. It follows, that the user can only run applications that are found in the Application menu. So the administrator must be able to provide the applications. A tool is needed to add, remove and modify entries in the menu.