Hi
Why are you creating not two SubTypes of the WTChangeOrder2? Modify the out of the box WTChangeOrder2 type that no instance can be created and set the tick to the sub types. So each type can have separete attributes and access rights.
I would answer your question, that the access is being inherited from the default type to the subtype. So if you allowed to create a Change Order you also allowed to create the subtype.
Regards
BJörn