You could set all of the following in cgi.cfg, assuming that you have nagios running as the nagios user/group:
I'd recommend not setting:
so that they can't stop your demo.
Mind you, this is VERY insecure, but if it is simply a demonstration page you probably aren't worried about who looks at it. Be absolutely sure to disable external commands, else your server might get owned! In nagios.cfg:
This means that they can't enable/disable any service checks, but at least they can see your pretty nagios screens.