1. the so-called read-only access may not be enforced only by SQL server permissions. There are things which a DBA is trusted not to do.
2. DENY CREATE TABLE or GRANT CREATE FUNCTION could be involved for all I know.
Tim Wilkinson
"If it doesn't work in practice, you're using the wrong theory"
- Immanuel Kant