We use it for our intranet. Users have the following
Read only to the web root and Templates folder (necessary for
setting up the site and using templates).
Read/Modify to _mm and MMWip at the root level (necessary for
Contribute temp files).
Read/Modify to their individual folder under the web root.