Just apply a registry fix to disable the usb devices, rather than disabling the legacy and usb2.0 devices in the BIOS. Create a login script that will disable this feature. We do it all the time here at work.
Then just make sure noone can run Gpedit from the control panel, disable the registry and command prompt. The only thing that can make the change to the registry and re-enable it, is if a program runs at system level to make or modify the registry, but depending on your users, you would have to have a technical savy user to figure this out.