I have set use_authentication=1 in CGI.CFG and have the users for services created by htpasswd.
What I would like to do is stop these users from issuing service commands.
Is this possible?
I have read Authentication And Authorization In The CGIs
I doesn’t help much 
Hi
Yes u can.
Just go thrugh cgi.cfg.
there u will get lot of statements commented about authentication.
read them and give the proper authentication
Regards
Aparna
According to the docs, they are authenticated, they are in a hostgroup for contacts, so they have the permission to make service commands.
I know that sounds a bit wierd, but if you are allowing them access to view hosts, then you must need these people to know what is going on. Allowing them to the ability to submit passive check results, etc, is not that bad of an idea. If you find that these people abuse the nagios monitor systems, then report them as abusing it, and deal with them accordingly. or simply remove there access. This nagios thing is a tool, so if someone is attempting to break it, then ban em or something.
"Authenticated contacts* are granted the following permissions for each service for which they are contacts (but not for services for which they are not contacts)…
* Authorization to view service status information
* Authorization to view service configuration information
* Authorization to view history and notifications for the service
* Authorization to issue service commands "