Hi Doug,

It's a bug fix, actually.  "Read Only" is supposed to mean "View, nothing else."  In versions prior to the current release, limited admins could actually run commands that made changes on read-only groups.  That's been fixed.

There are currently nineteen "limited administrator" suggestions / enhancement requests / changes proposed in the forum's "Ideas" section.  If you'd like to see changes (increased granularity? more power? less?) in the was SEP interacts with LImited Admins, please pay a visit and let your voice be heard!

Thanks and best regards,

Mick

Here is a list of few Fix incorporated in RU5. Hope this helps

The Search Client option allows limited administrators to run commands on computers in groups with no access rights
Fix ID: 1589447
Symptom: The Search Client option shows computers in groups that limited administrators do not have permissions to access.
Solution: Only show the allowed groups to limited administrators.

A Limited Administrator account is able to create packages, upgrade groups, and view reports for groups that have been blocked
Fix ID: 1631487
Symptom:A Limited Administrator account is able to create packages, upgrade groups, and view reports for groups that have been blocked.
Solution: Fixed various user interfaces in the console to limit administrator access.

Symantec Endpoint Protection Manager limited administrators can still perform administrator tasks
Fix ID:  1222797
Symptoms:  A Limited Administrator in Symantec Endpoint Protection Manager still has the ability to block the addition of clients to a group and add install packages to groups by right clicking the white space on the Install Package tab and clicking Add.
Solution:  Updated the user interface panels to adhere to the user's permissions.

This article has some more on the subject:

Limited Administrator can edit policies and run commands on groups with “Read-Only” permission.

Thansk and best regards,

Mick