If I am making a policy for RB411 and it can be opened only in telnet mode. Then how can make the policy in read only mode, because I can revert the policy in telnet mode and again it can be opened in winbox.
you can't do that, policies are not that advanced. I suggest simply not to give access to the router for people who you don't trust, or give them each a specific username, so you can see what they do there.