Everybody is partially right here. :D
What the previous posts says is to lock the settings, but each suggestion is for one component only. End users can still be able to click on the "Disable.." option, but only the unlocked components will be disabled. I've previously setup for a client to allow the endusers to disable NTP but AV will still run. The client will PC has the "Disable..." option clickable but only the NTP component is stopped. Checking on task manager shows that the AV component is still up.