Configuring TFS2010 so users can create/update bugs but modify nothing else

Environment: I am administrator of a project in TFS 2010, but don't have any administrative rights for the project collection.

Is there an easy way that I can set up access rights for a group of users so that they can:

• Create/update "Bug" work items only
• View all other work items
• Execute work item "Team Queries" and create their own queries
• No access to source control

The idea is I want them to enter bugs, but I don't want them creating/modifying User Stories or Tasks, nor do I want them to have access to source control.

From what I can see, the standard groups don't have fine enough control:

• Contributors can create all work item types
• Readers can view files in Source Control as well as work items.

UPDATE

Limiting access to Source Control is covered by Ewald's answer.

However Ewald also indicates that there isn't a realistic way to set up security on the "Work Item Type" level so that users can only enter/update bugs. He suggests it could be achieved by customising every work item definition and setting field rules for every field on every work item type, but this is a lot of work, and in any case I want to avoid customising the process template.

I've therefore created an issue on Connect for this: https://connect.microsoft.com/VisualStudio/feedback/details/591121/configuring-tfs-project-so-that-users-can-create-update-bugs-but-modify-nothing-else