For the specific question though, right now you wouldn't be able to do this purely through permissions. Disabling an agent through the UI is considered to be changing monitoring settings so the users would need that level of permissions.
The closest you can likely get at this time is to define management zones that only have the desired host entities in scope. Then you can create a group with change monitoring settings permissions that only has that management zone in scope. Then those users could disable monitoring through the UI by navigating to the settings page for individual hosts. This would also allow them to make any of the changes displayed in that page.