Not to discourage you Scott but I have been working on the intranet module (on and off) over the last couple of months. I wanted to do something similar to what you wanted to do as well. Employees should have basic rights to view projects and add reports but not add allocations or payments to them. My general thinking was that a basic employee can view things but not do much modification, project supervisors should be able to allocate payments and add or remove employees from a project etc.
As it stands I found no way to achieve this. I looked at using permissions of some sort but to no avail. Finally the simplest way to do this seemed to be to take the links for project allocations out of the page which is not satisfactory at all.
I switched over from Openacs to ACS recently and found no real difference in the way this approached. You just seem to have a choice of making a user a superuser with access to lots of things or an authorised user with access to very little.
I'm hoping ACS4 may be more capable in this regard as my understanding is that you will be able to set permissions for just about everything.
Not much help I know, but with luck someone can prove me wrong.
