Restricting the capability of ODBC users

I am hoping someone out there can give some guidance on how to solve the following problem.

We have a number of production Oracle based systems which our users access day in day out through business applications. These are both in-house developed and packaged based and give the users both read and write access to the data held within them.

Some of our users are now wanting ad-hoc query access to these databases for reporting purposes. We originally proposed Oracle Browser for such access as it provides a gauranteed read-only environment preventing the user from changing any data held within the system.

Now users are wanting to also get access to the data from the Microsoft Office products again for read only enquiry only. Here lies our problem. This can be easily achieved by giving them the Oracle 7 ODBC driver which then allows access from such products as Excel, Access etc. However this driver also gives Write access to the tables which we don't want to give. We also want them to use the same Oracle accounts that they use for the normal application access to the Oracle systems, for which they have Read/Write access, for enquiry access as well to make life as simple for them as possible however we cannot see a way of doing this when ODBC is used.

What I am wondering is whether there is anyway to configure the ODBC driver to only allow read access to the nominated data sources or even whether we can use some form of roles which can be set according to whether the user is accessing via ODBC or straight SQL or SQL*Net. I can't see how this latter option will work as my understanding is that ODBC uses SQL*Net anyway.

Any thoughts or suggestions would be greatly appreciated.

--
Ross Ellard
Devonport Management Ltd, UK