I'd like to thank everyone who gave their time and thought to this, especially ledtech3, who probably now has less hair than when we started, thanks to trying to sort out the API calls on MSDN!
I have now worked out a solution. It wasn't the one I'd originally intended, but in many ways it does the job better than my original solution.
I used the sample code from http://code.msdn.microsoft.com/windowsdesktop/VBWin7TriggerStartService-dcd0e7cf
to build a service which raises the user account to the Administrators group on boot-up if it detects a correctly formatted pen-drive on the USB bus, and "re-locks" the machine on next boot-up if the pendrive has been removed.
I then placed all the admin and management buttons directly onto the "secure kiosk" desktop, and injected code which hides and disables them if it detects that the user is not in the Administrators Group. I'm also working on a neat little trick to switch the "Parental Controls" on and off in the same way, and I'm going to publish some of the code for that in another thread.
I don't want to use the "I've solved this myself" button, because I didn't! Without the input from all of you, and from the MSDN website, I'd have had no chance. Maybe the Code Project people should think about putting a new button on here, something like "Problem solved with help from Code Project users"... ?
If anyone wants any further details on how I did it, or any code-snippets of the solution, please feel free to ask, and I'll happily e-mail them to you. Unfortunately, I can't post the entire code here, as it is part of a bigger commercial project with security implications.
Thanks once again!