p.157 of the vSphere Virtual Machine Administration Guide lists the required privileges to create a virtual machine. You didn't say anything about non-KB articles. 
I think your approach of using "No Access" is probably still going to be required.
Is he getting a specific error or what exactly happens when he tries to open a console?
