We have an AD group that has Deploy, Monitor, and Operator rights to a cell that has two nodes.                                               

                                                                       

We would like to know if there is a way to prevent this AD group from uninstalling or modifying one application that is deployed to a cluster but allow them the rights to modify other applications in the same cluster.                   

yes ... u can do it if you are on WAS7 or above. They are called 'security domains'

check in this book:
josephamrithraj.files.wordpress.com/2011...

Jospeh is referring to fine grained adminstratitive security which was first introduced in WAS v6.1 for wsadmin and the admin console in WAS v7.  You can define administrative roles that have access to a specific set of resources running in your WAS cell.  You can assign addminstrative roles at these levels: Cells, Node Groups, Nodes, Clusters, Servers and Applications.  Note that for some resources there is an inheritance heiarchy.  For example an Node level adminstrative role also has access to any servers running under that node. 

You would want to assign adminstrative role to specific applications.

See the "Authorizing access to administrative roles" section in the WAS v7 Infocenter -> tinyurl.com/l4ada7y