The administrator/developer/user of a security policy should be able to set "User approved Write" not just "Read" "Add" "Change"...
A program permited to over write a program file with
"User approved Write" will not unncontolably write Viruses to random program files, but permit a compiling or UnZipin of program files only if approved by the user leaving the user in control.
Administrator is to set this level to avoid unnessesary annoying user interaction. (Maybe user can say "Yes to all"? or "Yes to all this session")