NetworkManager does not trust its D-Bus clients and uses PolicyKit to check whether a certain user action is allowed or denied. NetworkManager's D-Bus API exposes these PolicyKit permissions to the client, and they are accessible via libnm (nm_client_get_permission_result()).
Maybe nm-applet could implement a restricted mode by autodetecting which parts are restricted using PolicyKit permissions. However, it doesn't. If you look at the code, the permission checks there are merely to see whether a certain GUI option should be enabled or not. The intend is to avoid exposing a UI option that is know to fail, not to protect the system from the user.
Re: #14.
NetworkManager does not trust its D-Bus clients and uses PolicyKit to check whether a certain user action is allowed or denied. NetworkManager's D-Bus API exposes these PolicyKit permissions to the client, and they are accessible via libnm (nm_client_ get_permission_ result( )).
Maybe nm-applet could implement a restricted mode by autodetecting which parts are restricted using PolicyKit permissions. However, it doesn't. If you look at the code, the permission checks there are merely to see whether a certain GUI option should be enabled or not. The intend is to avoid exposing a UI option that is know to fail, not to protect the system from the user.
I think what I said in comment #13 is correct.