Everything past Item #1 is something considered “Standard” behavior with a secured Windows installation. If you have a Domain environment, you should do them via Group Policy Object (GPO) entries. If you don’t have a Domain, look up how to deploy Local Group Policies with BigFix. There are plenty of examples of how to do this in BigFix. It amounts to a Registry Setting. You would need to leave the Deployment BigFix Action Open perpetually so that if the settings were ever reverted by someone, BigFix would restore them to their secured settings.
I’m not clear what you are referring to with Item #1.