Have you tried this with two policies:
inside > outside - where app control blocks the use of these apps
ouside > inside - where the 2 apps are allowed, and the admin starts a session to these apps
If that fails, another idea may be to use webfilter override so that the user can temporarily bypass that with a user/password you provide, and which you change or disable after the session. This may be more complicated to implement than your idea to disable/enable of app control profile on a policy for that specific user IP (so you don't allow everyone the access during that time).
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -