i think the only way to do this is to not show any options in the system tray, that way users cannot right click on the agent/virusscan icon and scan computer for threats.
Addtionally, put a password on the virusscan console. That way all options are greyed out.
Problem is they can still run Start/programs...... and launch the console and then right click the on demand task, or indeed right click any drive/folder and scan.
Just a thought: What if, at the NTFS file permissions level, you remove users' ability to access...
C:\Program Files\McAfee\VirusScan Enterprise\scan32.exe
In testing it, it seemed to work for me and the on-access scanner still detected an EICAR I created on the computer.