Users with Modify permissions can also change permissions

How about removing MODIFY permissions?

but then the user can't create or change files, can he?

PS - I will check, but it looks to me like 'Write' enables him to create files, but he needs modify in order to change existing files

Go into Advanced on the Security tab.
Select the Group you want to remove the permissions for.
Select the Edit button.
Either Uncheck Take Ownership and Change Permissions or place a check under Deny for these permissions.
Make sure it's not a group like Authenticated Users or the Administrators will lose the permissions too.

This should take care of that problem.

Yes.  Unfortunately, Change Permissions and Take Ownership are not ticked.  We realise we could deny, and if we have to, we will.  However, it seems a hack first to give something that you don't  think you have given, and then to take it away.

BTW, I would have to do it by script, not using the GUI.  We have about 15,000 users :-)

Ah.  The light comes on.  The user in question is owner, and therefore ... can change permissions.  I think that is it.  I will accept your answer once I have done a little testing.  Thanks so much.

Tested.  Alas, this is not the answer.  I created a file directly on the server, logged in as administrator.  Checked ownership.  It is owned by Administrators.  My personal account has only Modify, not Full permissions.  Yet on my XP machine, connected to the share containing that file, I can add or remove permissions for other users.  I could, no doubt, block "change permissions" permissions for myself, and similarly for all users for their own stuff, but that certainly looks like a hack.  I really want to understand what is going on and I don't.  

Double alas!  this is the answer.  I am afraid my normal (not admin) account isn't quite as normal as I had thought.  Apologies.  I will accept Netman66's solution, and thanks!

Hehe.. :o)

It happens to all of us at some point!

Thanks,
NM