Restricting templatedata access for business users

System

Sorry if this is a dumb question...but I've searched the forums, read the manuals...and still can't find a good answer.

Does the average user need access to the entire /templatedata directory or just the /data directory? I'm asking because we have some "ambitious" business users who have been "hacking" our tpls and making unauthorized changes to our branding.

Unfortunately, TeamSite was implemented with the Professional UI in 2000 and we haven't been able to move to the Standard UI where the user wouldn't "see" the /templatedata directory and be tempted. We are very traditional in our use in that we have our authors go through the /htdocs directory to their generated file (all html) in order to edit their dcr...so they have to have access to the /data directory under /templatedata in order to save their data.

Directory structure in the workareas:

/htdocs
/templatedata
   /data
   /presentation
   datacapture.cfg


Is there an easy way to restrict authors from accessing the /presentation directory and the datacapture.cfg in /templatedata so that they can't change the branding of the site without affecting their ability to save the dcr or generate the output file? I know we could go into each directory and set the Windows permissions...but is there a better way?

We are currently on TeamSite 6.5 (SP3) - but moving to TeamSite 6.7.2 in 2 months.

Thanks for any opinions or suggestions.

Melody