OS X AFP shares and access
Solution 1:
Replaced my original answer after doing some testing of my own using a OS X 10.5.6 Server and a 10.5.7 Client:
What I found after a bit of experimentation is that OS X is a bit crazy when it comes to ACL inheritance for share points. ACLs that are inherited will always take precedence over ACLs that are set at the share point (or lower in the tree) but only for write permissions. You can quite happily give a user read permissions on a folder down the tree a bit and it'll work, but if you give them write it'll fail hopelessly.
What does work. Turn off inheritance for the deny rule above the problem share (you can have it there, just don't have it inherit in any way). Then explicitly set the deny at the share point (turning inheritance on at this point seems to work just fine). My testing had that working without issue but it'd be a pain if you had to manage hundreds of similar shares.
One option might be a top level blanket deny on Everyone having read and then the no-inherit block on write as suggested above. Please let me know how you get on as I'm interested for my own share management.