Assuming you're using ePO 4.6 and VSE 8.8: In the Policy catalog go to VirusScan Enterprise 8.8.0, then General Options Policies.
On the "Password Options" tab you can choose to protect the settings with a password and also which items to protect, or not protect.
If the Virus Scan is managed by EPO even if end users change locally tpe policies of AV the McAfee Agent will some minutes after load the EPO server policies.
It possible to install the AV one by one on each computers but it is a waste of time if you have a lot of computer.
Firstly you can deploy AV via EPO.
Secondly, you will uninstall the agent via EPO on selected computer.
Finally, those end users can modify their policies.
mapc, thank you for the reply. So the idea is if there is no password then they can modify any of those settings. passwords are there to lock them out?
willsonlebig, thank you for the reply. that's a decent option. push agent, push av, uninstall agent. does that violate license agreement if we bought ePO for the company?
Yes, I think that's the idea. Then you'll also have to tell VSE not to overwrite client exclusions etc. That is done in the different policies for high-risk, low-risk, and default processes.
If you choose to install as ditguy2012 suggests, I think it's better to do a standalone installation of VSE. If no agent is present while installing VSE, VSE will install an updater.