On our apps server we have a few console clients running through the applciation pool that background services use. We found these by accident nad have no idea how (the two we found) ended up to run through our apps server. We don't know if there are any more out there so waht we thought we would do is create a new app pool or application instance and move our background services over to them so we could switch the existing one off and wait to see who screams.
I'm thinking create a new application called ServiceDesk.Background point it at the Console application pool and amend the config files for each background service, and then delete ServiceDesk.Framework
If these errant users are using integrated login you could set the login polict to be explicit only. If you are using something like windows 2008 R2 as the server you can add the feature/role for IP filtering and only allow the servers IP address access to this framework.
If this is 75, I'd create another application called 'Services', change all the service applciations to use that and then delete the origonal!