everything you want is done through the Group Policy User Account Control.

1) you can
2) you can hide disks in the explorer, from all users of winreview.ru/kak-skryt-disk-v-provodnike-v-windows-7 there are also special programs that replace the shell and do all that www.runpad-shell.com
3) you can prohibit the launch (and installation) of any software except what is installed by the administrator https://habrahabr.ru/post/101971/
5) nothing can be installed or launched, no way

You can set up Windows in kiosk mode. When you enter the second profile, one pre-configured application will automatically start. Nothing more can be done.

it is possible, for example, by setting a sandbox, such as shadow user.

Put a password on the bios so that you can't boot from a livecd or flash drive and get rid of all your protection

so you can create a second profile with user rights, you can also assign rights to ntfs partitions, can you run on a specific one through gpo? but all this work is in vain if there is physical access to the PC and usb ports are working, loading from dvd and other devices, you can reset access rights on the partition, reset the admin password to your own, and then change everything in the system, even if you don’t reset the password, then you can throw scripts and software to attack the OS
so the answer is yes but no !

1. First you need to decide what is harm . Destroy a piece of equipment? Erase data? Encrypt something important? Turn him into a spamobot? Burn a hole in the monitor matrix?
2. You can.
3. You can.
4. Can delete, damage, overwrite files to which there is write access (by default - a profile, as well as all folders to which access was not explicitly set). Can copy and carry files that have read access. A more advanced user can run a portable program from a flash drive / DVD - and all this "safety" of yours turns into a pumpkin. An even more advanced one can run the admin password reset program from a flash drive / DVD
5. Most likely it will, but it depends on the software
You have the biggest hole here, just the size of a tractor - this is physical access to the system manager. You don't have to be Snowden to figure out how to run Total Commander/Far from a flash drive and see all the drives. You don't have to be a Mitnick to burn a bunch of admin password crackers on DVD - one will work. There should be either a removable media control program and a USB blocker, or these media should be absent in the computer, and USB is simply disabled (the wires are unhooked from the mother), the case is either sealed or simply tightened tightly on all screws.

1. Possible, but not 100% In any case, in this way, the possibility of disrupting the system can be minimized. For example, the user will run the ransomware and it will encrypt only the files in his files. Other profiles and the system will remain healthy.
2. Maybe
3. Maybe
4. If physical access is not taken into account, then the user can elevate his privileges. At 7 it's still possible, I don't remember exactly how, but it's possible. This is the main and main threat. Most users will not be able to do this.
5. It will not be provided that the rights are correctly configured. For example, prohibiting the launch and installation of software.