Hmm, I got part way there. I was able to drop xcacls.vbs into the NETLOGON share and use it in a logon script to remove permissions from the user's desktop folder.
cscript.exe %LOGONSERVER%\NETLOGON\xcacls.vbs "%USERPROFILE%\Desktop" /G %USERDOMAIN%\%USERNAME%:r BUILTIN\administrators:f "NT AUTHORITY\SYSTEM":f
The user can still delete shortcuts from the all user's desktop, but I think I'll just leave it at that.