by default administrators group has full control - the precedence is deny first and then allow, as the admin group has full access, the users on admin group will get automatically all access including modify.
You can try create a custom admin group and add those users, then provide necessary access.