The best I can come up with so far is an ini file like this. Here's some of the settings which I think might have been relevant:
sec.file.manager = no # this allows access to browse log files, but also to browse and edit collection config
sec.file.manager.edit = no
sec.administer.read = yes
sec.administer.system = no
user_type = normal
It seems impossible to allow browsing of files without allowing editing, so I'm going to have to provide direct links to the file viewer, eg:
Can the file manager be used to restrict access to config files? I wasn't able to get it to work, though I know I've used it in the past.