Client scripts are easily hackable. A server side solution like an ACL or read-only dictionary attribute is more secure. You can go with a client script or UI policy, but keep in mind that the security is never going to be 100% enforceable.

When you tried the read-only checkbox on the table 2 reference field, you said it also made table 1 read-only. That should not be the case unless you are dealing with extended tables. Can you show me what happened?