So what to do? Here's a possible solution for 10.3. Make a new user using the "Accounts" preference pane. Click on "Limitations" and choose "Some Limits." Uncheck "Open all System Preferences." The user will now be unable to open important preference panes.
Now open Netinfo Manager and authenticate. Click on Groups and then choose the Admin group. Click on the users property and then hit Command+Option+N to insert a new value. Type in your new user's short name. Save your changes with Command+S and quit.
Now in System Preferences you should see that your new user is described as being Admin, Managed. Your user can now install into Applications, but have no access to the crucial system preference panes! Of course this probably isn't 100% secure, as an Admin user could probably find a workaround for this limitation. However, it appears to have solved our problem in a simple way, without having to extensively modify the overall system permissions.
[robg adds: I haven't tested this one, and I think the security caution is a good one -- this may work for simple cases, but it's not designed to keep a dedicated tweaker out of the key areas of the system. Can anyone comment on a more secure way to accomplish the same result?]

