OK. The only way I could get this to work somewhat how I wanted was to make the following changes:
- Edit the AV policy to enable and lock Auto-Protect. This greyed out the "Disable Symantec Endpoint Protect" option on the systray icon.
- Lock the Tamper Protection option under Clients - Policies - General Settings.
- Create another group without these restrictions. When someone needs to make changes, it will have to be managed by me or another domain admin level person. I would move the client into the new group and update the policies. Once done, the user will be able to do whatever they need to do. At the end of a certain time period, I would move the machine back into its original group and update the policy again.
In other words, do what Brian suggested toward the top of this thread.
Not how I wanted, but support told me that what I want isn't possible, at least with the version I am trying to use. As a refresher, I want to require a password for anyone trying to disable the client, administrator or otherwise. It seems my only options are to have it available or have it greyed out.