#create a (Script) Python called restrictZMIAccess
#in the root of your CMF Site

REQUEST=context.REQUEST
RESPONSE=REQUEST.RESPONSE

urlUnauthorized = context.portal_url()
member = context.portal_membership.getAuthenticatedMember()
path_info = REQUEST['PATH_INFO'].split('/')

if ( 'manage' in path_info or \
     'manage_main' in path_info ) and \
     'Manager' not in member.getRoles():
        return RESPONSE.redirect(urlUnauthorized+'?portal_status_message=Not%20Allowed.')

#click on the Proxy tab, and highlight Manager.  Each time this script is run
#it will be run as Manager (so you will always be able to access .getAuthenticatedMember())
#or your users will be prompted for a password with higher level access.

#now add a 'Set Access Rule', type restrictZMIAccess, click Set Rule.