Etienne Tremblay has a post on his blog (TFS Server Administrators (when you can't be a Windows server administrator)) that describes what I consider to be a best practice for managing Team Foundation Server, which is to use an Active Directory. By doing so, you need only add or remove membership in one place to control who can create a team project. Normally, you'd have to go to three separate places to do this, or use the TFS Administration Tool found on CodePlex.
I have found that the simplest way to manage that particular group of users was to start by creating a Domain Windows Group and assigning you TFS admins to that group. You will see why this is important when I talk about WSS. You can assign individuals to the various Applications but I don't recommend it for manageability (it's easier with a group).
In addition, see Etienne's post on Legacy Visual Studio Support in Vista.