One common thing we run into in Salesforce.com is having to lock a record down to editing to certain groups once a certain stage or status is reached.  There are two different schools of thought on the best approach to doing this.

The first is to use record typing.  For instance, let's say you're working on an opportunity and want to lock down the record so that changes can't happen after it reaches a Closed Won stage.  The easy way to do this is to create a new record type "Read Only", create a new layout for that record type and then set all of the fields to Read Only that shouldn't be edited.  Then you'd want to create a workflow that sets the record type based on the stage of the opportunity.  It's all pretty easy, but you'll still need to address training issues at the start with users to be sure they don't create records with a "Read Only" record type.  One other nice thing about this approach is that you can assign the noral record type that's Read/Write based on profile.  So, managers and administrators still have the ability edit the data.  With this approach the page layout controls what's editable.

The second approach is to use a validation rule.  In the validation rule, you simply check to see which profile is attempting the edit and check the stage/status.  If your validation rule returns false, the save doesn't happen.  Once downside to this approach is that your users may waste time trying to edit something they can't save. 

Personally, I like the first approach better, but it can become difficult to keep track of and maintain as lots of profiles are added to the system.  The second approach can present some extra challenges as well as it requires you to use the actual record id for the profile to check the validation.  I don't like using record ids because it assumes you'll never move that code to a different instance or delete profiles.