for #2 & 3, why not create a new/different user, and use that for the off hours processing?

have you determined what the impact would be if you killed the user @9am, or was running more than 30 minutes? I've seen transactions take 3 times as long to rollback as it did to run before it was killed.

the better solution is to fix those slow running queries in the first place...i'd bet 5 dollars right now it involves cursors.(which with some smart coding can be removed and see one or two orders of magnitude performance enhancement.

for #1, the right thing to do is to change the password so noone can use it in the first place...an application should use an application role, so the password is never used at all, or at least should read the encrypted value from a config file, isntead of everyone knowing they can use SSMS.

a crappy work around for #1, is to try to create a logon trigger that detects the application name, but that's not guaranteed, as it can be set by the person runnning SSMS if they know what they are doing.