You for sure want strong security in place. USBs are the least of your concerns (while certainly an attack vector). The users must have internet access, from which they can download literally anything and run in the computer, without the need of a removable device.
The best option is to harden the whole security of the system and take permissions away from the user as much as you can. After all, running a browser doesn't needs too much system access
A few things I would implement:
Run as standard user. There must be an user account dedicated for customers, which must of course NOT be administrator. This account thus cannot do any system-level changes, as well as remove protection mechanisms installed elsewhere. It can be set to autologin into this account. When an employee needs to perform maintenance he can simply log out and enter with a second, admin-level account or even better just use UAC to elevate what's needed. Make sure the admin account is strong enough.
AppLocker. This Windows feature limits what is allowed to run, basically letting just a few things to run and everything else just getting an error. It could be a good idea to configure it to let run the basic tools you need for your users (like browsers, games, maybe a media player, etc.), as well as the Windows normal tools and deny permissions on everything else. This works great to prevent infected USBs to run, as well as any downloaded thing. As it's "whitelist-based" approach, you need to configure it carefully for things you need, but after that it disallows any unknown thing. Infected USBs can then be safely plugged as they won't run. Only available on Ultimate, but Professional has
Software Restriction Policies instead.
Firewall. It's also nice to have a firewall that only lets specific programs internet access, while blocking everything else. Few routers actually have a nice firewall, and even less have it configured to do something meaningful. A software firewall is often better at filtering out bad things. Windows firewall is a nice, built-in option, but again you must configure it to be restrictive enough to add some protection (it's mere presence does nothing, and by default Windows Firewall is almost disabled).
Imaging. Another thing to consider is to use software like Deep Freeze or similar. Those things create a backup and restore it automatically on each boot, literally "freezing" the system from changes. The added security it provides is that the computer always boot from a known-good point, undoing any potentially malicious change users might do. Also serves as a privacy thing, as it cleans the browser history, temp files, any password people might leave there, protecting no only the system but users from each other. Best if you reboot after each customer leaves.
Control software. Most likely you already have some of this, but use of specialized programs to control the computers from a central server is a nice addition. That lets you control usage time, messaging and maybe log users out, lock/unlock PCs or reboot remotely. This mostly serves an informational use more than security, but worth having while possible.
Antivirus. As a last resort, putting antiviruses in computers might give little benefits. While generally those are now considered mostly ineffective and useless, from time to time they can flag malicious downloads or even phishing websites from careless users, giving some protections against online frauds. Otherwise they generally do little to protect the computer itself. Make sure you set them to auto-update their databases very frequently.
You can password protect the BIOS, and, disable the USB ports within the BIOS. Anyone has something they want to introduce, have thenm bring it to whichever employee is supervising the café at the time.
Good tip! Forgot about that completely. I would, however, not disable USBs, as the computer can be protected in other more effective ways without sacrificing functionality. Having an employee copying the files over would also risk exposing the server to a malicious device, instead of the computers that are highly secured and limited.
What I would do is to disable booting from USB and CD in the BIOS (so reboots cannot put an external OS), then password protect it.