Unfortunately, we need the best of both worlds. Our IT staff to be able to remote and resolve issues, with a small subset of people that can do view only on just a handful of machines.

There is a manual option by editing the roles.xml file, but this applies to all computers. There also needs to be an option for view only based on groups so we can also restrict access to view only to within a certain group.