Look in the Groups list for any groups that have automatic assignment via the User RegExp and remove the RegExp.
Create a group called “Canstilledit” (Administration/Groups/Add Group). Admins are automatically added. You may need to review who is an admin and remove them.
For each product uncheck “Open for bug entry” to not allow creating new tickets.
Use “Edit Group Access Controls” and check the “Canedit” boolean for only that new group “Canstilledit”, so “this product will be read-only for any users who are not members of all of the groups with Canedit selected” which would be that one new group.
Make sure all other checkboxes are unchecked.