I think that you can deny an insert from a dbo. The dbo can change the permissions so he'll be able to use the insert statement but as long as someone denied him the permissions and he didn't modify the permission, he won't be able to run an insert statement. The code bellow illustrates it.

CREATE DATABASE Test

go

USE Test

go

CREATE TABLE T (I INT)

go

DENY INSERT ON T TO PUBLIC

go

--run an insert statement as admin. This should work

INSERT INTO T (I) VALUES (1)

GO

--See that the record was inserted

SELECT * FROM T

GO

--Creating a new login and user and adding him to the db_owner role

CREATE LOGIN DBOwnerTest WITH PASSWORD = '1QAZ@wsx'

go

CREATE USER DBOwnerTest FOR LOGIN DBOwnerTest

go

EXEC sp_addrolemember db_owner, DBOwnerTest

go

--Executing as the user DBOwnerTest

EXECUTE AS USER = 'DBOwnerTest'

--make sure that I'm running as DBOnwerTest and that I'm part of the db_owner role

SELECT USER_NAME(), IS_ROLEMEMBER('db_owner')

--Trying to insert a record into the table. I'm getting an error

INSERT INTO T (I) VALUES (2)

go

--Modifying the permissions so the dbo will be able to insert data

REVOKE INSERT ON T TO PUBLIC

go

--Running the insert again. This should work

INSERT INTO T (I) VALUES (2)

go

--running the script again as admin and clean up the mess:-)

REVERT

USE master

go

DROP DATABASE Test

go

DROP LOGIN DBOwnerTest

Adi