I'm not sure you can granularly restrict the specific interfaces from being modified if you are going to allow others. There are a few options scripting the networksetup command with say a LaunchAgent triggering a script. or a casper policy to trigger a script every X minutes/day to re-enforce the settings, e.g.:
networksetup -setnetworkserviceenabled 'Bluetooth PAN' Off
networksetup -setnetworkserviceenabled 'Thunderbolt Bridge' Off
networksetup -setnetworkserviceenabled 'Firewire' Off
The key with network setup is it's very particular about the exact name of the interface. Disabling Firewire doesn't disable Thunderbolt Firewire. Can the user still enable these services? If they have admin rights, you bet. You could optionally remove the interfaces (networksetup -removenetworkservice <network service name>) if they are detected instead of disabling them, but an admin can still re-add it.
