For starters, be very specific about the type of traffic you want to allow. Have a default deny rule then allow ports like 80, 443, 993, 587, 143, 110, 995, 465, 25 (I personally would rather not open this, but you probably will get a ton of complaints if you don't). Also permit UDP connections to port 53 on OpenDNS' servers.
This will give you a great start. It'll kill most of the bandwidth hogging protocols. It'll also block a lot of VPN connections (not ssl vpns though) which should help prevent people from bypassing your security.
If you have a firewall capable of blocking filetypes, you should probably also block exe, bin, com, bat, avi, mpeg, mp3, mpg, zip, bz2, gz, tgz, dll, rar, tar and probably a bunch of others I'm leaving out.
Other than that, your current restrictions are probably decent enough. You can add updates to the list. Personally, I wouldn't block A/V updates. If you really want to, you can block their entire domains (*.symantec.com, *.mcafee.com, *.trendmicro.com, etc). Microsoft update URLs are available at http://technet.microsoft.com/en-us/library/bb693717.aspx
Best Answer
You're going to want to get in touch with a major vendor like Cisco or Aruba.
When you get that many people in a contained area, throughput isn't your (main) problem, interference is. For a deployment like this, you're going to need a large volume of APs capable of real-time channel select based on interference and auto-power adjust based on proximity to friendly neighbor APs. I know that most of the Cisco controller-based lightweight APs do this. I don't know if their autonomous line can, but even if they could, managing that many autonomous APs would be a headache in itself.
We don't do specific product recommendations on Server Fault, but I can tell you that trying to cheap out is only going to cause you to fail miserably. It's going to cost a lot and you're going to want to go with a major vendor that caters to large deployments.
You should also do your best to offer wired connections wherever possible to alleviate the load on the wireless network. 802.11 just isn't designed to have 10k concurrent users in their same confined space. If you have vendor tables/presenter rooms, give them switch ports and Cat5e/6 to plug in with (lots of people don't travel with these any more).
edit: Another advantage to going with high-end gear is that it can make clients "prefer" 5GHz A/N, which will also help alleviate some of the interference problems. Cisco APs can be configured to ignore the first X B/G probes and only respond to A/N probes. Usually configuring this where X = 3 is enough to get a bulk of users onto the 5GHz band while not lengthening association times by more than a second or two. The more users that you can push the the 5GHz band, the better. It'll still be crowded with that many users, but you won't have to compete with all of the 2.4GHz noise that is much more common than 5GHz noise.
I'm sure that other enterprise-grade APs can be configured in a similar fashion, but I'm only familiar with Cisco gear in the wireless space.