This has been resolved in all versions 7.1 and greater.
In the Security Role Manager, there is section of permissions titled "Policy Permissions". This section has two permissions, "Enable Policy" and "Apply to Resource Target".
From what the customer noticed "Enable Policy" never functions as expected and always allows any user the ability to enable any policy even though it is unchecked.
Here is an example of this issue (provided steps to duplicate):
The 'Enable policy' permission' for 'Altiris Agent Settings - Targeted' page(inherited from any parent folder) appears to have no effect on whether or not a role can disable/enable a policy in this page. Furthermore, when I removed the 'Write' permission to this page, I can still enable/disable the policies and click the greyed out 'save changes' button in the UI, but doing so will cause a 'The User does not have required permission to save item...' server error. Steps to duplicate: 1. Go to settings > Security > Role and clone the Symantec Administrator role 2. Open the Security Role Manager for the cloned role, and select 'Settings' in the View dropdown 3. In the Root folder 'Settings', disable the permission 'Enable Policy' and 'Write'; the 'Altiris Agent Settings - Targeted' page should inherit these permissions. 4. Log in to NS as a user with the cloned security role. 5. Navigate to Settings > Agents/Plug-ins > Targeted Agent Settings 6. select a policy from the left menu, all fields should be greyed out, but the policy on/off switch is still enabled. 7. Turn on a policy and click 'Save Changes'
This issue has been fixed with SMP 7.0 SP5
Symantec Management Platform 7.0.7270 SP3