If you trust him enough to give him limited (whatever that means) Admin access you trust hi enough to just give him an Admin account.
If you don;t trust him with an Admin account any user who knows enough will be able to take whatever privileges you grant and turn that into full access.
Besides if he has physical access to the machine all bets are off.
Security is a matter of risk management, because it's impossible to completely secure anything. I'm not assuming he's malicious, I just want to make elevating privileges himself too much of an annoyance to bother with for things I'd rather he ask me about anyway (like repartitioning the hard drive).
I don't want to make it convenient for him to make sweeping system changes. However, I trust him enough to install/modify/remove applications and to modify network settings (i.e. connect to a VPN using Network Preferences). I'm looking for a way to make that happen, not to "completely protect" my system against him.
To modify network settings he needs to be able to unlock the preference pane. If you can unlock one pane you can unlock them all including Users & Groups.
While it is more feasible allow him some latitude in the application installing scenario it's going to be a pain. The non-server version of OS X is just not setup for this. Either a user has admin privileges or he doesn't there is no part way.
Again if you trust him then you should also trust him not to do what you don't want him to do. If you tell him he can do x but please don't do y and you think he won't abide by your rules then giving him any access is potential trouble.
And again if he can get to the machine when you are not around he can do what he likes, privileges or no privileges.
I see. Out of curiousity, how does one gain permissions to unlock the preference pane? Is it with membership in a certain group, i.e. admin? Does the System Preferences app just perform a check on the the user who is supplied at the prompt? Mildly annoying lack of granularity there; however, since OS X server is only $20, perhaps that's worth checking out. Thanks!
If you want to limit a user's access to something, no matter how big or small, you must not give that user an admin account, or tell him an admin account's password. An admin user owns the machine and can undo any limits another admin user may place.
You might want to give the guy a non-admin account and then look in to modifying the /etc/authorization file. This file configures what tasks can be done only by admins and what can be done with only user privileges. Modify the file to suit.