Setup Unmanaged Restricted SEP 12 Client

I have a business requirement to setup air-gap PCs that have an unmanaged SEP12 client that is severely restricted in it's functionality.  Meaning that non-administrator users can only scan USB keys and cannot change any settings.  This was done sucessfully under Windows XP but now we are migrating to Windows 7 with SEP12.

Under SEP11 I had setup the firewall rules to ONLY allow LiveUpdate and Windows Update to run.  The LU process was LuComServer_3_3.exe.  I don't know what that process is under SEP12 but I suspect that it is ccSVCHst.exe.  Can someone point me to the right process to allow through the firewall?

Also, I know that under SEP11 if you set DENY right to the SMCGUI.exe process for a non-admin account, the user can't make any changes to its configuration.  They can still open SEP11, but all the options to change the firewall settings/disable anti-virus is grayed out and inaccessable.  Is this still possible?

Below is a complete list of changes to my SEP11 clients to lock them down.  Keep in mind, these machines MUST be setup to be stand alone and can't rely on a managment server.

Client Firewall Settings:

1. All firewall rules removed
2. Added Allow LiveUpdate rule
   1. Allow outgoing traffic for all protocols for process C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.exe
3. Added Allow Windows Update TCP rule
   1. TCP Remote Ports 80,443 and Local Ports 1-65535 for both traffic directions
   2. Processes are: svchost.exe and ntoskrnl.exe
4. Added same rule for Windows Update but for UDP
5. Added Block Network Traffic rule
   1. All IP Protocols for both directions

Client File Permission Settings:

1. Set DENY MODIFY right to basic user account on C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe

Client Registry Settings:

1. HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\LiveUpdate
   1. Modified Schedule key with the following attributes:
      1. Basic user account has ALLOW Query Value, Enumerate Subkeys, Notify
      2. Basic user account has DENY Set Value, Create Subkey, Create Link, Delete, Write DAC, Write Owner

I'd appreciate any help on finding the acutal LU process so it can be allowed through the firewall.  If there's anything in my configuration that's redundant, I'd apprecate knowing that too so I can remove it.  The whole purpose of these machines is to sit unattended and not allow people internet access.