Restricting admin access across a Wordpress Multi Site network

I'm right at the beginning of setting up a potentially large network of sites using Wordpress Multi Site, and I'm obviously very keen to get it right from the off.

My network is a bit different to most, as I want far more control of users / sites than normal. My service will work as follows:

1. Person contacts me requesting a site on my network, stating which theme they want
2. I set the user and site up through the Network Admin area, creating their site as a subdomain of the main site
3. User gets admin access to create / manage posts and pages

I don't want admins of subsites to be able to access any of these areas:

1. Appearance > Themes (I would like admints to be able to access Widgets + Menus)
2. Plugins
3. Tools
4. Settings
5. Maybe Users

I need to keep control over site designs, settings, plugins etc., to keep a consisten experience for all visitors. Subsite owners will simply use their sites for creating and publishing content.

Can anyone gives some guidance to good plugins etc. that will help me lock the site down like this?