Something which came up a couple of days ago was a question about creating a service account for a custom service, but not being able to logon interactively with it. The solution is very simple through the use of User Rights Assignment. Fire up the Local Security Policy snap-in from Administrative Tools. Navigate down the tree to:

Security Settings
  Local Policies
    User Rights Assignment

Depending on your requirements, add the user to "Deny log on Locally" policy rule, or remove the user from the "Allow log on Locally" policy rule. However, be sure to read KB823659 before changing and security settings or user rights assignment.