I work for a university, and we have been having some difficulty deciding on a way to handle permissions for our faculty and staff. We want them to be able to install into /Applications, but we do not want for them to be able to access the more "sensitive" preference panes (such as network). Previously we tried creating a new group and using it to limit access to System Preferences, but we later found that this breaks, making System Preferences completely inaccessible (apparently it likes to remain part of the "wheel" group).
So what to do? Here's a possible solution for 10.3. Make a new user using the "Accounts" preference pane. Click on "Limitations" and choose "Some Limits." Uncheck "Open all System Preferences." The user will now be unable to open important preference panes.
Now open Netinfo Manager and authenticate. Click on Groups and then choose the Admin group. Click on the users property and then hit Command+Option+N to insert a new value. Type in your new user's short name. Save your changes with Command+S and quit.
Now in System Preferences you should see that your new user is described as being Admin, Managed. Your user can now install into Applications, but have no access to the crucial system preference panes! Of course this probably isn't 100% secure, as an Admin user could probably find a workaround for this limitation. However, it appears to have solved our problem in a simple way, without having to extensively modify the overall system permissions.
[robg adds: I haven't tested this one, and I think the security caution is a good one -- this may work for simple cases, but it's not designed to keep a dedicated tweaker out of the key areas of the system. Can anyone comment on a more secure way to accomplish the same result?]
Mac OS X Hints
http://hints.macworld.com/article.php?story=20040321115235296