It sounds like you want to have quite fine-grained control over what each user is able to do, in which case I would investigate using sudo. This will also help with logging who tried to do what to help track down any problems in future.
sudo will run commands for the user as root (or some other user), while requiring only that the user knows their own password. You can configure exactly which commands each user is allowed to execute, so you could enable su only for user A and not for users B and C.
The basic setup would be to deny execute access to every user for every program, except those listed in the sudoers file. You can't just disable individual programs, because the users could then install their own copy into their home directory and just use that.
There are a few tutorials on sudo out there, but running "man sudoers" seems to give more useful information than any I've seen.
If B and C know the passwords of other users, you need to think about how you are going to stop B and C from logging in to other accounts. You can do this by configuring PAM appropriately to look for other information (keycards, retina scanners, etc.) which may involve writing a PAM module or finding an appropriate one through the web.
I don't know much about PAM myself, but you can look into configuring it at
http://www.kernel.org/pub/linux/libs...x-PAM_SAG.html
Hope that helps,
—Robert J Lee