I would suggest you set the user's permissions based upon the access they require when connecting via SSMS.

When they connect via some other application you can have that application connect using an application specific account and set the SQL permissions for that account accordingly or alternatively if the application calls stored procs you could have those stored procs run as a more privileged account and grant the user EXECUTE rights to the specific stored proc.

The former will be easier to implement but if you need to track who the actual users are that funcionality would need to be built in to the application. The latter if properly implemented should be more secure.