The only way I can think of to do this offhand is to set the privileges for that account to view only and then execute a re-login if they're coming in the "right" way.
Another option, which involves more work but is fundamentally more secure, is to mirror the data over to a second, "view only" file and use that for external access.
Thanks Mike. I thought of first option as well. Unfortunately if the user opens both files, the re-login script effectively changes the account in the external data source that the external file is using.
Your second suggestion sound like a possibility but the amount of work involved would be prohibitive.
Can you move the business rules into the data layer?
That sound like too much work also. I think the best thing would be to just create the layouts they need. If there is other specialized one-off stuff they want, they may just have to export the data.