I think that you can deny an insert from a dbo. The dbo can change the permissions so he'll be able to use the insert statement but as long as someone denied him the permissions and he didn't modify the permission, he won't be able to run an insert statement. The code bellow illustrates it.
CREATE DATABASE Test
go
USE Test
go
CREATE TABLE T (I INT)
go
DENY INSERT ON T TO PUBLIC
go
--run an insert statement as admin. This should work
INSERT INTO T (I) VALUES (1)
GO
--See that the record was inserted
SELECT * FROM T
GO
--Creating a new login and user and adding him to the db_owner role
CREATE LOGIN DBOwnerTest WITH PASSWORD = '1QAZ@wsx'
go
CREATE USER DBOwnerTest FOR LOGIN DBOwnerTest
go
EXEC sp_addrolemember db_owner, DBOwnerTest
go
--Executing as the user DBOwnerTest
EXECUTE AS USER = 'DBOwnerTest'
--make sure that I'm running as DBOnwerTest and that I'm part of the db_owner role
SELECT USER_NAME(), IS_ROLEMEMBER('db_owner')
--Trying to insert a record into the table. I'm getting an error
INSERT INTO T (I) VALUES (2)
go
--Modifying the permissions so the dbo will be able to insert data
REVOKE INSERT ON T TO PUBLIC
go
--Running the insert again. This should work
INSERT INTO T (I) VALUES (2)
go
--running the script again as admin and clean up the mess:-)
REVERT
USE master
go
DROP DATABASE Test
go
DROP LOGIN DBOwnerTest
Adi
--------------------------------------------------------------
To know how to ask questions and increase the chances of getting asnwers:
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/