Why don't you just set the ACL on your deploy dir so that they cannot touch the config files?
That certainly would work but it's a bit inelegant, no? I would much rather be able to control the behaviour through the configuration files than with filesystem permissions that have to be manipulated pre/post deployment. So, based on your response I assume that there is no configuration option to turn of auto-redeploy?
I don't care about 'elegance' as long as it works...
Another option might be to set the ScanPeriod of your DeploymentScanner to a Really Big Number(tm)