Hello,
It's an old post but currently it's what I'm working with so I want to share some experience:
The .msc files are merely sets of snap-ins, which are utilized in Microsoft Management Console (mmc.exe). Where a snap-in is an individual item on the console root, the list on the left panel of the application. As an example, compmgmt.msc is the console consisting of various snap-ins like Task Scheduler, Disk Management, Services etc.
The problem is, protecting an .msc file is not a solution - yes the user access is denied when it's launched via Run -> compmgmt.msc, but still users CAN launch MMC.EXE itself and then load whatever snap-in they wish, like this:
These items are NOT read from .msc files, but from the registry, which point to respective DLL files in the system folder. You may consider protecting MMC.EXE itself, but in my case users did require some level of access (i.e. Event Viewer), so this was not an option for me.
The only solution seems to be blocking access to aforementioned DLL files. For example, Device Manager snap-in uses %systemroot%\system32\devmgr.dll, so you need to protect this one. You can learn which DLL files are used by a specific snap-in under this registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns
Working with administrator accounts is difficult, I hope this helps.