Your other two requests are difficult to handle. For controlling devices, you MAY be able to contorl USB devices, but it's something I've never tried. When you connect a USB device, certain registry keys are written to denote the connection. If you prevent access to those keys and/or prevent them from being created, it should prevent the USB device from being accessible. You would need to do some research into it and then test it to ensure you don't cause more problems than you solve. Symantec Endpoint Protection is much better equipped to handle device control.
Services are somewhat easier, but still have some "gotchas." To prevent a service from starting, you can prevent access to the executable responsible for starting the service. for example, to prevent the Print Spooler from launching, you would place the following entry in the "Global File No Access" portion of the policy:
*spoolsv.exe"
The "gotcha" with this is that many of the built-in Windows services run under "svchost.exe," so preventing access to this file will have many far-reaching consequences. Your better option here may be to secure those services through Group Policy.
Chris Tyrrell
Conventus Corp
ctyrrell@conventus-sei.com