The real danger with rights being changed besides a user locking themselves out, is they lock out the system account so backups/anti-virus can't run, but we all check our error logs for these products, right?
Now, this does mean a user could take ownership of the directory and give themselves full control, but this method will prevent your above average users from modifing it. Besides, it's fairly easy to script a "check system has rights," or to enforcement. In any case, this was the best solution between form and function.
Rights at the root folder for accounts:
User Account Minimum permissions required
Creator/Owner Modify rights & Take Ownership, Subfolders And Files Only
Authenticated users Transverse Folder/Execute File & List Folder/Read Data & Create Folders/Append Data, This folder only
Local System Full Control, This Folder, Subfolders And Files