Choosing the right distro, Locked down from within.

I'm looking to put a box at a client site which will be connected to the client's home router for internet.

That box will have remote access software on it and will have untrustworthy contractors logging in and using the browser. So, I'm looking for a distro that would be LOCKED DOWN to the max from the user side.

Regardless of the distro I'm planning on blocking all possible applications, (especially the terminal) leaving only the browser accessible. Blocking all the ports and all the domains aside from the 2 that the user/contractor should access. The user will have non-admin privileges of course.

So, taking all that into consideration, is there a distro that somehow facilitates being locked down from within, to minimize the possible attack surface?

That's a home network we're talking about, so I'm considering security VERY seriously.
Can the security even be guaranteed to a certain extent with this setup, should I even go ahead with this project?

Any and all other possible security tweaks are definitely welcome, I'm a newbie so everything and all is new to me.

Guys, your thoughts are greatly appreciated!

Thank you beforehand!

Locking down is more an administrator thing than a distribution one. No amount of locking will do any good when they can drop in a CDROM and hit F12 on boot, after all -- that's something you have to think of and prevent. And no distribution will come with a kernel built to match your machine and exclude any device drivers for hardware they don't absolutely need.

Use the old grub-0.97 bootloader for loading. It's much simpler to configure than the new one when you have a static disk layout, and can be locked down pretty thoroughly.

Use a distribution like Gentoo or Slackware where you you get what you install and ONLY what you install, no more, no less.

Build your own kernel. Exclude any and all device drivers for things they shouldn't be using. If you give them a PS/2 keyboard and mouse, you don't even need to enable USB!

Make /tmp/ its own partition, with the 'noexec' flag given in /etc/fstab so nobody will ever be able to run executables in it. Come to think of it, do that for /home/ too.

Make their home directory and profile files read-only and owned by root. That way they can't alter, delete, or replace any config files, and won't be able to download into it. ~/.firefox/ or what have you will have to be writable, though. Make their login shell a restricted shell, /bin/rbash. If they ever get into a shell login somehow they won't be able to do anything useful with it.

Don't give them Java if you can avoid it. You can make an ersatz anything in Java.

Alter /etc/inittab to not spawn terminal logins on VT1-VT6. This will prevent them from doing ctrl-alt-f1 and getting into a raw text console.

Don't install a big WM like Gnome or KDE which will come with thousands of apps and built-in security holes for user convenience. Install something small and predictable like Fluxbox. You get easily-configurable menus and no bundled programs.

And lastly, secure the machine itself. Put in a BIOS password, prevent booting from external media, disable the PXE boot ROM, stick a good padlock in the little loop that prevents people from opening the machine, etc, etc.