Is it possible to set a password so users can't disable, change, or unistall the client on the local desktop?
Go to the policies page, find the "Base - CSA Service and client UI control" In there you will see the "Base - CSA client UI control" rule module and then you will see the "Base - CSA service control"
The service control is targeted more for the protection of the service from other applications attempting to kill/stop/modify the CSA agent service, not so much for user protection.
Located in the "Base - CSA client UI control" rule module itself, you will see the "Agent UI control rule", examine it and you will see the following:
Agent UI control rule 
Control agent UI interaction
Allow user to reset agent UI default settings
Allow user interaction
Allow user access to agent configuration and contact information
Allow user to modify agent security settings
Allow user to modify agent personal firewall settings
Suppress taskbar notifications
Obviously if you check/uncheck these it will either allow or not allow respectively.