Hello,
That is not possible from Symantec Endpoint Protection to specifically stop a user from tamper a particular services from services.msc via A&D Policy.
However a good idea.
I have created an IDEA for you. https://www-secure.symantec.com/connect/ideas/specifically-stop-user-tamper-particular-services-servicesmsc
Let's Promote the same!!!
However, Incase if you want to protect a file from being Modified, you may apply a Application Control rule for the same.
It is similar to the Application rule for "Block modifications to hosts file [AC6]"
Check these Articles:
How the Application and Device Control Hardening policy works
http://www.symantec.com/docs/TECH132307
Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security
http://www.symantec.com/docs/TECH132337
and
How do I Block hosts file modification using Symantec Endpoint Protection (SEP) Application and Device Control policy?
https://www-secure.symantec.com/connect/downloads/how-do-i-block-hosts-file-modification-using-symantec-endpoint-protection-sep-application-
Hope that helps!!