It seems that users who are not in the confluence-administrators group can do some things in the Administration area, which is probably not a good thing.

Specifically, one user who is not a member of confluence-administrators:
General Configuration - no access
Look & Feel - no access
Site Decorators - no access
Shortcut Links - no access
Global Templates - can see templates - I don't have any defined at the moment so don't know if they can do anything with them
Mail Servers - can't edit but can send a test email
Paths - can modify the backup path
Manage Macros - no access

Backup & Restore - no access
Rebuild Search Index - no access
Mail Queue - can view
SnipSnap Import - no access
License Details - no access
System Information - no access

Manage Users - no access
Manage Groups - no access
Global Permissions - no access

I think they should be prevented from doing anything.....