the first account: are you just trying to restrict access to certain data on the computer or are there specific services that you don't want to let him get access to (cybernanny, etc)?
if files - then allow higher access level, but then deny read / execute on the files you don't want him to have access to. the Deny will overide any "allow" permissions.
with the younger son - why are you restricting it so much? I'm not sure about restricted user - I've never used that level, but if you're just trying to make sure he can't get online, then maybe simply denying him execute (or even read?!?) on any web browsers, media players, etc. Again, the Deny will overide any "Allow" permissions granted to the restof PRogram files.
if he's a standard user and has no install permissions, then he won't be able install Mozilla or anything like that.
I appreciate your sentiments wrt to restricting access, I'm not questioning that element of what you're asking: just try to be clearer as to what you're trying to restrict on these two accounts.