For Portal groups, we really need more fine-grained control over specifying who could do what within that group - i.e., a set of users who could fully administer the group, a different set that could share items and view (i.e., like read/write), and a set of users who can only view (ie, read-only). You can get part way there by manipulating group properties, who is a member or not, and whether you publish items to a group only or to a group + Public (or the group + Organization). But these settings are all pretty coarse-grained, and no matter what combination you try, you inevitably end up with some situation you don't want.
Submitted on behalf of my DoD client