Well, the point is to set the particular settings as a convenience to our employees (such as allowed ports for a lot of the tools we use internally, Synergy for example, exclude certain paths from scanning, Visual Studio paths, source and binary paths on developer machines etc) so they don't all have to do it themselves when we roll it out using the Agent. But, as they are all Administrators and we trust their judgement, we still want these settings to be editable, as they may have their own special needs.
So "don't set the said settings" is a bit of a "cop out" in my opinion. If I don't set the setting in the policy (to avoid the padlock), I will have to either instruct all the employees how to apply the various settings themselves, or do it myself X number of times..
Surely there must be a way to apply a setting without restricting it?