Hi Paul, I see this is nearly a month old, but someone should have responded before this..
To get around this problem I created a "Sub-Manager" role. (Assuming you are using v2.x, but the same can apply in v1.9.) Essentially, I restricted the assignment options to System only, then went through the entire permissions structure and prevented editing of anything. I also removed User data viewing options. I did not get any complaints about what the person could not do or go or see, so either they did not run into a problem, or they have not been in to look yet. Who knows...