Since the default mode for Access Control when created is to allow all rights to all users for back-compatibility, it is recommended that perms be "locked down" first, and only granted as needed. The webinator user, having the irrevocable ability to reset ACLs, should remain a "superuser" with all access, and other accounts turned into lesser-permission users. Lockdown should happen in this order:
With these perms, users other than webinator - including new users and profiles created in the future - will not be able to see or modify administrative settings. They can be granted perms as needed later, for example, the Read right could be removed from the Global deny ACE so that they can read but not modify any admin action/setting.