Hallo ManeIR
Is it possible to protect the pc in WinPE, so that the user can't do anything:
Short answer, yes this is possible, don't know if you noticed it but you within the PXE, PE configuration can tick on so that it is locked.
If you need further direction on to where it is, lemme know and i'll find the screendump for you.
The default configuration on the express share is as you have found out, the user can delete it all... ;)
I have on installations where the admins has requested it, done some hardening.
What i normally do is i grant the user which runs the bootdisk (configured on the bootdisk itself) put "Read" access on the NTFS permissions on the express share, and ONLY on the \\servername\express\Temp put read\write permissions.
This does what you want to do, and makes sure your jobs doesn't fail, which they will do if you don't have the access on the temp folder.
/Morten