Is it possible to create a Read-Only user in ESMAC?  Is this possible using MF internal security to have a user ID with just read-only access to viewing Resources, SEP's, and clients?

Unfortunately the default MF internal security is not intended to provide this level of granularity. However, this could be accomplished by moving user definitions and resource controls to an LDAP repository such as Microsoft's Active Directory (AD) or Active Directory Application Mode (ADAM).

The section of the documentation titled "Initial Setup of Enterprise Server Security with Microsoft Active Directory" is a good starting point if you wish to make the transition.