Not sure what version of EEPC you are running, but in 7.x it is in the user based policy for EEPC. Under the password tab check the box to prevent change.
First of all wrong section.
Second "Prevent change" in UBP should do the trick. Have you enforced new policies?
Moved to encryption: ePO managed group.
You need to specify what product/version you are refering to.
Yes, setting the "disable password change" option in the policy should remove the button from the pre-boot screen. This should not be part of a UBP though unless you are using UBP's for every user - better to use a system based policy, then it applies to every machine.