Just open regedit (run as admin!), browse to the key in question. right click on the key, and choose "permissions...".
click the advanced button.
uncheck "include inheritable permissions" checkbox. Click apply. (A system window appears, asking if you want to add the inherited permissions, or delete them. Click add.)
check "Replace all child object permissions" checkbox. Click apply. (another system message appears, stating that you are overwriting all children with inherited permissions from parent object. pick YES)
Now that we have sanitized the ACL's inheritence for this object, we can manage it.
First, be sure to give full control to administrators:
Select Administrators from the list, and click edit.
Make sure full control is checked, if it is not already. (If not, clicking this explicitly grants all privs to administrators group users for you.)
click OK
Now we limit what normal users can do:
select Users from the list, and click edit.
uncheck full control if it is already checked. (this is what we DONT want!)
uncheck set value
uncheck create subkey
uncheck create link
uncheck delete
uncheck write DAC
uncheck write owner
DO NOT click anything in deny!! (The way windows permissions works, Deny takes priority over allow. Since all users, including admins, are members of the users group, this deny will override the explicit allows given to that group!! Unless you WANT a registry key that is untouchable, DO NOT check any of the deny boxes!)
click OK.
Click OK again to close the advanced permissions editor.
Click OK again to close the general permissions editor.
BOOM-- All safe now.