Just a word of caution that I've been having issues with the CL (/usr/libexec/ApplicationFirewall/socketfilterfw) for Apple's application firewall. I have an open ticket with Apple right now and I've seen other post similar experiences. Here's a link to one
https://jamfnation.jamfsoftware.com/discussion.html?id=7329
I can add and remove applications ok but blocking and unblocking doesn't seem to work in 10.8 or 10.9. Maybe you will have a different experience but do some testing before you put a lot of time into it.
As far as locking it down from admin users I know there are a few 'exploits' to bypass any restrictions you set up so I don't believe you will be able to stop admin users from turning it off if they really want to. Of course you could annoy them by having a policy continue to check if it's on or not and turn it on if they have turned it off.
Hope that helps
