hi,
The options for zentyal-ltsp work very well. I use a slightly custom setup, but overall it works great.
The building of the image and serving are pretty straight forward and documented.
Users can modify things during the session, but they can't access the image (not in the way you are thinking, anyway), although they might be able to set preferences in their home folders. You might want to look into the "web kiosk" feature of LTSP. You can find more info @ ltsp.org and also
https://help.ubuntu.com/community/UbuntuLTSPIdeally, you want to group the clients in the network. Either on an exclusive segment or even physically. This is not strictly necessary, but it makes things like limiting web-access easier.
As far as websites go, I think your best bet is to use squid with a "whitelist" profile. Once you have your clients grouped (by nic, by net or subnet, etc) you get squid to apply the profile to that particular group. That should limit their access to only those domains you define in the whitelist.
I hope it's only a few domains, you don't want to be entering a long list of domains in the profile page!!!